http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html
It is probably not as complicated to change the default in a compatible way
as you think.
However, I don't know if anyone still uses signtool.
-Kyle H
On Mon, Jul 3, 2017 at 4:49 AM, Kai Engert wrote:
> The NSS util
You must use the specific binaries of version 3.12.9.1 from back in 2012 to
be really, honestly, truly FIPS 140 compliant.
Further, you must use a FIPS-certified implementation to verify the
integrity of that version in order to be really, no kidding FIPS 140
compliant, or get it on a disk directl
https://bugzilla.mozilla.org/show_bug.cgi?id=1183318 is a thing. If
this is related to a communication from Firefox, SSLKEYLOGFILE doesn't work.
Memory dumps can be created by malware. Packet captures can be created
by anyone who has access to what should have been (but which have been
in practi
(quick correction to my prior email: the certificates issued by the
intermediate are valid for up to 15 months in that example, and the
key is retired when it cannot sign anything with a validity less than
12 months.)
-Kyle H
On Mon, Apr 28, 2014 at 4:10 PM, Kyle Hamilton wrote:
On Fri, Apr
On Fri, Apr 25, 2014 at 6:59 AM, Erwann Abalea wrote:
> Le vendredi 25 avril 2014 13:46:51 UTC+2, Martin Paljak a écrit :
>> On Thu, Apr 24, 2014 at 9:07 PM, Kathleen Wilson
wrote:
>> > Also, we added a section to the wiki page to list some behavior
changes that
>> > could cause a website certifi
softoken also isn't a complete implementation of a PKCS#11 module. It's
"just good enough" to be used by NSS, not good enough to be used by other
PKCS#11 platforms. It's disturbing that it's never been completed. It's
more disturbing because the keys I might have in FIPS softoken can't be
used in
relyea or other contributors to
https://developer.mozilla.org/en-US/docs/PKCS11_FAQ :
Can you please give some references to the "other products [which] have
managed to get it to work in their environment"? Thanks.
-Kyle H
On Wed, Sep 11, 2013 at 6:10 PM, Kyle Hamilton wrote:
>
are or hardware based.
>
> Good starter documents are
> https://developer.mozilla.org/en-US/docs/NSS_reference and
> https://developer.mozilla.org/en-US/docs/NSS#Background_Information
> and https://developer.mozilla.org/en-US/docs/NSS/NSS_API_GUIDELINES has a
> layering diag
tps://developer.mozilla.org/en-US/docs/NSS_reference and
> https://developer.mozilla.org/en-US/docs/NSS#Background_Information
> and https://developer.mozilla.org/en-US/docs/NSS/NSS_API_GUIDELINES has a
> layering diagram
>
> -Elio
>
>
> On Sat, Aug 24, 2013 at 6:02 PM, K
Hi,
I'm finding myself in a situation where I need to use the certificates and
keys stored in my standard NSS profile in other applications.
My initial, naïve idea was that NSS itself is a PKCS#11 module.
Unfortunately, this appears to be not the case. When trying to find the
right DLL to load i
On Thu, Apr 26, 2012 at 12:32 AM, helpcrypto helpcrypto
wrote:
Supporting smart cards in the spec and first implementations is not a goal,
however, I think a lot of the base work we are doing will help in a future
iteration. For instance, I hope that this Gecko 'internal API' will help
ext
On Thu, May 3, 2012 at 4:27 PM, Wan-Teh Chang wrote:
David,
Here are my review comments on https://wiki.mozilla.org/DOMCryptInternalAPI:
1. I don't understand the difference between the two methods that
generate key pairs:
PKGenerateKeyPair
SigGenerateKeyPair
GenerateKeyPair(purpose:
vid Dahl wrote:
- Original Message -----
From: "Kyle Hamilton"
CMS does not require DER. It requires BER, specifically to handle
indefinite-length streams. It may be the case that there are
multiple sections of code writing to the same stream, as a valid
(though spaghetti-codish)
On Thu, Apr 26, 2012 at 12:32 AM, helpcrypto helpcrypto
wrote:
Supporting smart cards in the spec and first implementations is not a goal,
however, I think a lot of the base work we are doing will help in a future
iteration. For instance, I hope that this Gecko 'internal API' will help
ext
[dev-tech-crypto followup]
On Fri, Apr 20, 2012 at 8:11 AM, David Dahl wrote:
We could also return the hash or hmac producing object like: var h =
window.crypto.hash(alg);
This would be the most general way to handle it. (I'm told that 'generality is
the key'.)
Why is it that I get
On Sat, Feb 18, 2012 at 5:46 PM, Stephen Schultze
wrote:
Brian has in the past discussed proposed updates to NSS that would allow us
to penalize bad CA behavior by removing trust of all certs from a given CA
that were issued after a given date (or even for X amount of time after a
given date).
Why not just use the secure domain transfer identifier? Only the real holder
of the domain has that.
-Kyle H
On Mon, Feb 6, 2012 at 12:21 PM, Kai Engert wrote:
On 21.10.2011 15:09, Kai Engert wrote:
This is an idea how we could improve today's world of PKI, OCSP, CA's.
https://kuix.de/me
http://www.ietf.org/id/draft-hamilton-cmr-00.txt
Basic overview:
1) Import CRLv2 and all semantics.
2) Change the integer identifying the sequence format from 1 to 3 (v4).
2) Change default processing path to INVALID/REVOKED.
3) Place all potentially-valid (i.e., issued certificates which have n
Using a separate PRNG state for each origin will ensure that entropy
is reused (since all of them will need to seed from the same master
PRNG). This is bad.
Not seeding them from the same master PRNG would reduce the entropy
available in each state. As was the case with Netscape Navigator in
the
On Sun, Feb 13, 2011 at 5:20 AM, Eddy Nigg wrote:
I can see how DANE could be useful with CA issued certificates. The above is
a non-starter (at least for me) and rather dangerous for any third party
relying on it. But those are my opinions at least if and until this gets
implemented anywhere
"I'm not at work from 2010-08-02 until 2010-08-09.
For matters relating to project ZMOKU contact Krzysztof Borgul.
For organizational design team matters, contact Łukasz Ryfa.
I will respond to your message when you return."
(approximately, fighting Google Translate's weird mockery of sentence
an
If you have something that looks like '[2^i' in your source file, it
means that there's probably an 'esc' character in there as well, and it
looks like someone tried to use arrow keys on a VT102-akin terminal to
edit it.
Delete your current tree, download the package again, unpack it, and try
rec
2010/5/21 Robert Relyea :
> On 05/21/2010 07:52 AM, Gervase Markham wrote:
>> On 21/05/10 05:36, Matt McCutchen wrote:
>>> I'm not claiming that the user knows. I only said that if there is in
>>> fact no impersonation, then the error is a false positive.
>>
>> This seems a fine definition to me.
The way that commercial "certifying authorities" have gone about
things thus far is completely antithetical to how business is
transacted on the commercial internet. (hint: banks require *two*
forms of ID in order to open a bank account, and CAs provide only
*one*. How would you solve this proble
Your profile's certificate and trust database appears to be corrupted,
and therefore it can't check to see if the OCSP responder's
certificate is okay.
You'll need to quit Firefox, move the current key*.db, cert*.db, and
secmod.db files out of the profile directory (to a backup location),
and then
I believe there's something available called KeyManager that should
help, from https://addons.mozilla.org/en-US/firefox/addon/4471 . It
uses XPCOM IDL to access the platform security module. (It also has
an explicit .xpi signing option; I don't know if that will help, but
it might be useful.)
-K
Are you certain that certutil is using the version of the NSS library
that has ECC support compiled in? Most *nixes have a command called
'ldd' or such that will print the list of dynamic libraries that an
executable depends on, as well as what files the system is using to
match them.
Windows has
On Fri, Dec 4, 2009 at 10:33 AM, Nelson B Bolyard wrote:
>
> Stefan, You're asking a question about a portion of Firefox known as PSM.
> PSM implements Firefox's certificate UI, and it also implements Firefox's
> JavaScript support for access to certificates. It interfaces to the
> underlying cry
On Mon, Nov 30, 2009 at 1:07 PM, Ian G wrote:
> I agree. It breaches that fundamental law of the Iang's mind-space: there
> is only one mode, and it is secure. Break the law, time folds and inverts
> on itself, and Mallory slips between your bytes.
'secure' is a state of mind, not too different
On Mon, Nov 30, 2009 at 10:50 AM, Rob Crittenden wrote:
> I'm considering how to handle SSL re-negotiation in the Apache NSS provider
> mod_nss to handle the SSL client-initiated handshake bug.
>
> NSS provides a callback, SSL_HandshakeCallback(), which according to the
> docs is called when an SS
Nope. Each user's profile has its own copy of the database which
contains pointers to which PKCS11 modules are installed and accepted
by that profile's user.
It is, however, possible to use the nss command-line tools to add it
from the command line to each user's profile. Then, all you have to
d
On Wed, Oct 14, 2009 at 12:23 PM, Nelson B Bolyard wrote:
> On 2009-10-14 11:37 PDT, Honza Bambas wrote:
>> Nelson B Bolyard wrote:
>
>>> By the way, I REALLY REALLY wish that the password manager would use that
>>> when you click the button to reveal the passwords, instead of doing what
>>> it do
On Thu, Oct 8, 2009 at 4:12 PM, Nelson B Bolyard wrote:
>
> Have you read through the documentation on libSSL?
> http://www.mozilla.org/projects/security/pki/nss/ref/ssl/index.html
>
> The determination that a certificate is or is not acceptable is the
> responsibility of the application that uses
On Thu, Oct 8, 2009 at 1:30 PM, Daniel Veditz wrote:
>
> Needless to say what you're proposing can't be called "SSL" anymore and
> there are sound security reasons SSL does not work that way. Using such a
> client to connect to commercial, financial, or government sites would be
> profoundly dange
On Wed, Oct 7, 2009 at 6:57 AM, Ian G wrote:
> On 07/10/2009 15:46, Anders Rundgren wrote:
>>
>> Ian G wrote:
>>> For Mozilla, which should be interested in end-user security, an
>>> entirely different subject to client-wallet security, this should be
>>> much closer to something interesting.
>>
. I'd bet that there's a lot of discussion in the
archive of the pkix working group's tls list about why it was dropped,
but I was not subscribed at the time it was discussed so I'm not
certain.)
-Kyle H
On Tue, Oct 6, 2009 at 6:13 PM, Eddy Nigg wrote:
> On 10/07/2009 02:04 AM,
hat it's revoked by checking the issuer. That alone should be
enough to suggest that the information that is provided in the generic
"handshake_failure" is completely and utterly worse than useless,
since there's any number of things that can cause it, and a lot of
them aren't in
On Mon, Oct 5, 2009 at 11:38 AM, Eddy Nigg wrote:
>> I don't think anyone is doubting that both FF and IE have some problems
>> with the way they handle client auth. Most of these problems can be
>> worked around on the server (use request, not require, through an error
>> page if the cert you wa
On Sun, Oct 4, 2009 at 2:30 PM, Ian G wrote:
> On 04/10/2009 22:37, Eddy Nigg wrote:
>>
>> On 10/04/2009 09:23 PM, Nelson B Bolyard:
>>>
>>> On 2009-10-03 15:52 PDT, Jereme Bulzor wrote:
>>>
I've enabled client authentication in Sun One Web Server 6.1 and it does
work fine when the clien
2009/9/25 Robert Relyea :
>
> Because of the way the system works, deleting a cert from builtins would be
> equivalent to marking it untrusted. The user could still override our choice
> in softoken. Unfortunately the trustorder is set on the module, not the slot
> (/me mentally slapping myself for
On Sep 13, 2009, at 9:29, Nelson B Bolyard wrote:
On 2009-09-13 06:26 PDT, Frank Hecker wrote:
However since all the relevant code was contributed by Cryptocom,
all we
need to do is to ask permission from Cryptocom to be able to use the
source files in NSS under the NSS licensing arrangeme
Typically, that means MD5 with RSA Encryption.
On Wed, Aug 19, 2009 at 3:12 PM, David Keeler wrote:
> Wan-Teh Chang wrote:
>>
>> I think "rsa encryption" is a public key algorithm, where as
>> "sha1 with rsa encryption" is a signature algorithm.
>
> Thank you for the quick response. This isn't qu
There's a perl script to extract all the data from the certdata.txt
file. You can find it at
http://www.floodgap.com/software/ttytter/mk-ca-bundle.txt .
-Kyle H
On Wed, Aug 5, 2009 at 4:20 PM, Nelson
Bolyard wrote:
> Hi all,
>
> Quite a while ago, I read a message from someone saying he had devi
Users are never told that a PIN is a password is a passphrase. So,
they believe that a "PIN" is not a "password", and a "password" is not
a "passphrase". So they think "I have to type my password to get
access to this", not "the device is asking for my PIN to do what it's
been asked to do."
User
ber whenever I try to log into my account. This shows
two separate types of authentication: something I know and something I
have. Unless both the phone and the network are both tapped and
redirected by Mallory, it's unlikely to be a problem. And, let's face
it: the US government has ac
USB does actually have a PKCS#10 device reader profile. If you were
to extend that by adding a generic "oh, it also has a device in a slot
that performs these functions" layer that was exposed through the
device-reader profile, it would be universal -- and universally
implemented in the platform i
i.e., you're implementing so-called "OCSP Stapling". Thank you. :)
If the client requires a specific responderID, and the server knows
nothing about it (it's not in its listed stores, either as hash or
subjectName), I would think that it normally should return a response
indicating failure (OCSP
Am I correct in inferring that to the best of your knowledge, if a
root does not have a bug number associated with it, it is a "legacy"
root (one that was inherited from Netscape/AOL)? If so, this is an
even more useful list so that we can see which roots need additional
examination. :)
-Kyle H
Could I suggest that you also send a copy of this message (including
URLs) to dev-security-policy? Much appreciated. :)
(And very good work!)
-Kyle H
On Mon, Jun 22, 2009 at 1:11 PM, Kathleen Wilson wrote:
> Based on the Firefox 3.5 beta, I created a table of all of the CAs
> that are Builtin O
Is there an updated request in the queue for O=ABC.ECOM, INC? That
one expires 7/9/2009, which is less than a month from now.
Are we going to enforce a 2048-bit root requirement after Dec 31, 2010
(per NIST non-classified recommendation)? If so, we need to get the
Digital Signature Trust Co Glob
No, it just means that Thunderbird needs to catch up with the times
and implement a newer version of the specifications, one that was
written after the US's draconian ITAR rules were changed.
-Kyle H
On Fri, Jun 19, 2009 at 6:48 AM, Georgi Guninski wrote:
> On Fri, Jun 19, 2009 at 03:36:08PM +020
Is there a pk1util that would allow for PKCS#1 management? I think
that would be more useful than requiring a self-signed public key
wrapper for pk12util.
-Kyle H
On Thu, Apr 23, 2009 at 1:45 PM, Nelson B Bolyard wrote:
> Andriy Zakharchuk wrote, On 2009-04-23 12:07:
>> Hello all,
>>
>> I have
On Mon, Apr 6, 2009 at 8:37 PM, Ian Hickson wrote:
>> Submission formats:
>>
>> The default format, introduced by Netscape, is the SPKAC format, see the
>> above link, and includes the public key and the Keygen challenge
>> attribute, and is signed by the private key.
>>
>> The actual standardized
nd identity.)
Instead of
On Fri, Mar 27, 2009 at 8:53 AM, Eddy Nigg wrote:
> On 03/27/2009 04:40 PM, Kyle Hamilton:
>>>
>>> And fortunately I'm glad to inform you that he wouldn't have received a
>>> verified certificate from StartCom. I'm not say
On Fri, Mar 27, 2009 at 5:48 AM, Eddy Nigg wrote:
> On 03/27/2009 02:16 PM, Kyle Hamilton:
>>
>> I'm also going to state, once more: your Assumptions (in this case,
>> your Beliefs) are what are making this system NOT WORK. Your Beliefs
>> are what are p
2009/3/27 Eddy Nigg :
> By the way, I'm *absolutely disgusted* by seeing the CN field be
> "Startcom Free Certificate Member".
>
> Perhaps you haven't used S/MIME certs from other providers then :-)
"Thawte Freemail Member". "Startcom Free Certificate Member". Same
difference. I'm not looki
On Thu, Mar 26, 2009 at 3:41 PM, Ian G wrote:
> On 24/3/09 21:21, Kyle Hamilton wrote:
>
>> (The US Patent and Trademark Office does it by sending a transaction
>> ID number via postal mail, and a verification code via email to the
>> address-of-record, only after a notar
On Thu, Mar 26, 2009 at 6:12 PM, Eddy Nigg wrote:
> On 03/27/2009 03:58 AM, Ian G:
>>
>> Encryption would give more privacy of emails, where otherwise there was
>> less privacy.
>>
>
> S/MIME encryption without assuring the email address is security theater.
> What you suggest would be even counte
On Thu, Mar 26, 2009 at 4:46 PM, Ian G wrote:
> On 25/3/09 01:06, Eddy Nigg wrote:
>>
>> On 03/25/2009 12:35 AM, Kyle Hamilton:
>
>> I don't understand how this is connected to the initial idea of finding
>> some better ways to use client certificates for mail
Thank you for your diligence, Eddy!
-Kyle H
On Thu, Mar 26, 2009 at 11:26 AM, Eddy Nigg wrote:
> On 03/26/2009 03:53 PM, Eddy Nigg:
>>
>> During the last two weeks I tried to contact the relevant person at the
>> registry for the Israeli Signature Law. Unfortunately I wasn't able to reach
>> any
I wish OS vendors would realize that we need core files to debug this
stuff. :( (Which is the entire reason why the facility exists,
actually -- to figure out why programs crash.)
The way to get a core file is to execute 'ulimit -c unlimited' before
executing the program. Once the program crashe
On Mar 24, 2009, at 5:06 PM, Eddy Nigg wrote:
On 03/25/2009 12:35 AM, Kyle Hamilton:
'reasonable security'
'this service' (the one you offer 'for free') -- my own assumption is
that you don't offer the service of verifying community membership
for
web
iated with such a charactername, for all the world to see
everywhere I posted my certificate, if I wasn't doing anything illegal
and thus subject to discovery.)
-Kyle H
On Tue, Mar 24, 2009 at 2:56 PM, Eddy Nigg wrote:
> On 03/24/2009 10:21 PM, Kyle Hamilton:
>>
>> Hate to say i
On Tue, Mar 24, 2009 at 12:56 PM, Eddy Nigg wrote:
>>
>> Remember this: A public key is an identity. It is an identity which
>> is bound to the private key.
>
> Sure...
>
>> What would they know about you that couldn't be harvested from email
>> lists? That you have a public key, and an email ad
On Tue, Mar 24, 2009 at 3:30 AM, Eddy Nigg wrote:
> On 03/24/2009 06:24 AM, Kyle Hamilton:
>>>
>>> One thing I'm missingwhere comes the email control validation in?
>>>
>>
>> This is where you get to upsell your service.
>
> This is
On Mon, Mar 23, 2009 at 7:27 PM, Eddy Nigg wrote:
> On 03/24/2009 04:09 AM, Ian G:
>> This would then mean that on adding an email account into Tbird, it
>> automatically creates the public key pair. On each email sent out, it
>> includes the public key in a header. On each email received, it gr
On Mon, Mar 23, 2009 at 5:35 PM, Ian G wrote:
>>> Hmmm, well, many questions abound: why wasn't it done? where was this
>>> discussed? Why didn't client certs just happen? Why are we still using
>>> passwords?
>>>
>>
>> Good questionit's because it's so much more convenient and everybody
>> is
2009/3/22 Nelson B Bolyard :
> Eddy Nigg wrote, On 2009-03-22 12:51:
>> On 03/22/2009 07:25 PM, Anders Rundgren:
>>>
>>> FF issue: It seems that the AIA ca issuer extension is not supported.
>>> This complicates server-setups
On Sat, Mar 21, 2009 at 5:57 PM, Nelson B Bolyard wrote:
> Kyle Hamilton wrote, On 2009-03-21 15:49:
>> On Sat, Mar 21, 2009 at 2:58 PM, Nelson B Bolyard wrote:
>
>> I blame NSS for choosing not to adhere to certain aspects of the SSL
>> 3.0 and TLS 1.
On Sat, Mar 21, 2009 at 4:32 PM, Eddy Nigg wrote:
> On 03/22/2009 12:55 AM, Ian G:
>> Hmmm, well, many questions abound: why wasn't it done? where was this
>> discussed? Why didn't client certs just happen? Why are we still using
>> passwords?
>>
>
> Good questionit's because it's so much
On Sat, Mar 21, 2009 at 2:58 PM, Nelson B Bolyard wrote:
> Kyle Hamilton wrote, On 2009-03-21 14:07:
>> No, I blame the browser UI for not exposing useful details of the TLS
>> protocol. The TLS protocol explicitly does not call out the handling
>> of server certificates:
ent paradigm is what keeps the CAs in business, and the client
paradigm and its unwillingness to change is part of what's preventing
the adoption of client certificates on the global internet.
-Kyle H
On Sat, Mar 21, 2009 at 2:07 PM, Kyle Hamilton wrote:
> On Sat, Mar 21, 2009 at 1:11
On Sat, Mar 21, 2009 at 1:11 PM, Nelson B Bolyard wrote:
> Kyle Hamilton wrote, On 2009-03-20 02:15:
>> This is a stupid comment.
>
> Then why post it?
Because Anders was referring to the argument as stupid, and I was
referring to his comment as stupid. (Sometimes, just sometim
ard to establish schemes
>> that use the good part of TLS (server-auth) and leave the unwieldy
>> part to a community that won't be able fix it.
>>
>> Anders
>>
>>
>> - Original Message -
>> From: "Nelson B Bolyard"
>> To: "
part of TLS (server-auth) and leave the unwieldy
> part to a community that won't be able fix it.
>
> Anders
>
>
> - Original Message -
> From: "Nelson B Bolyard"
> To: "mozilla's crypto code discussion list"
>
> Sent: Friday, M
On Thu, Mar 19, 2009 at 11:57 PM, Nelson B Bolyard wrote:
> Kyle Hamilton wrote, On 2009-03-19 23:07:
>
>> My reason for the conservative time suggestions is because that's what
>> banks tend to use (my bank times me out after 15 minutes of
>> inactivity, as does my p
On Thu, Mar 19, 2009 at 8:29 PM, Nelson B Bolyard wrote:
> Joe Orton wrote, On 2009-03-19 15:15:
>> Going from 3 minutes to 10 minutes doesn't seem like it will save the
>> world (if 3 minutes was indeed putting the world at risk).
>
> Agreed. For most users 4 or 8 hours is more reasonable, to av
You seem to misunderstand the reason there's friction here. (I do
understand your reasoning -- there are a lot of active certificates in
active use under that root, and you would like to see Thunderbird
support them.)
However:
Over the past several years, the process for getting CAs approved has
I think a reasonable default would be about 10 or 15 minutes, with a
refresh of the session (moving it back to 0 minutes) every successful
request?
-Kyle H
On Wed, Mar 18, 2009 at 6:56 AM, Joe Orton wrote:
> On Tue, Mar 17, 2009 at 10:26:35AM -0700, Robert Relyea wrote:
>> Cert selection for Fir
ponding to 3,1)), the only appropriate answer would be
to close with a fatal illegal_parameter alert?
-Kyle H
On Wed, Mar 18, 2009 at 5:54 AM, Nelson B Bolyard wrote:
> Kyle Hamilton wrote, On 2009-03-18 04:20:
>> On Wed, Mar 18, 2009 at 3:28 AM, Nelson B Bolyard wrote:
>>> b)
On Wed, Mar 18, 2009 at 3:28 AM, Nelson B Bolyard wrote:
> b) they have NO CA CERTIFICATES marked as trusted to issue client certs,
> so they violate the SSL and TLS 1.0 protocols by sending out empty lists
> of issuer names for CA certs, which give clients no information with which
> to determine
On Tue, Mar 17, 2009 at 5:02 PM, Eddy Nigg wrote:
> On 03/18/2009 01:52 AM, Kyle Hamilton:
>>
>> The problem isn't smart cards, it's the lack of smart card readers,
>>
>
> Well, you can buy them too, the same way you buy a web cam or other
> utilities. BTW
-- we're basically all agreed, at this
point, that things are Seriously Broken, and I'm trying to be
constructive, understanding how the current interfaces fail. If you
know of other ways that they fail, please chime in.)
-Kyle H
On Tue, Mar 17, 2009 at 4:52 PM, Kyle Hamilton wrote:
>
On Tue, Mar 17, 2009 at 4:40 PM, Eddy Nigg wrote:
> I agree that there needs to be some fixing. I think you, Anders and
> Johnathan presented some very interesting ideas. Being able to carry the
> certs around including a policy profile in a piece of software is
> interesting too. It would solve
On Tue, Mar 17, 2009 at 4:16 PM, Eddy Nigg wrote:
> On 03/17/2009 10:42 PM, Kyle Hamilton:
>>
>> If client certificates aren't evangelized, the brokenness will never
>> come to light. If the brokenness never comes to light, it's a huge
>> amount of resourc
think this is fair,
> not to mention that the GUIs look MUCH better. Such solutions
> also work flawlessly with [server-side-only] TLS accelerators.
>
> Saving TLS-client-cert-auth (why?) in browsers MUST start now,
> otherwise it will most certainly slowly fade away.
>
> Anders
On Tue, Mar 17, 2009 at 2:51 PM, Anders Rundgren
wrote:
> I'm personally unconvinced that client-cert-TLS auth is the way ahead.
> HTTP-basic was killed by forms and quite a few schemes out there
> including Entrust's use a similar paradigm for PKI which works better with
> web servers (sessions).
On Tue, Mar 17, 2009 at 12:35 PM, Eddy Nigg wrote:
> On 03/17/2009 02:45 PM, Johnathan Nightingale:
>>
>> I think the implicit 4th step there is evangelism, because I think they're
>> a much more robust identification/authentication technology than login+pw,
>> or most of login+pw's would-be repla
I note no outstanding issues, and recommend approval.
I'd like to see a photo of how the security tape is wound through the
paper translation, but that's just a matter of personal curiosity. :)
-Kyle H
On Fri, Mar 13, 2009 at 10:29 AM, Kathleen Wilson
wrote:
> Are there still questions that nee
Since Eddy's in Israel and thus most likely knows Hebrew (and if not,
he knows someone who can translate it well enough for him -- and he
has both a vested interest in ensuring he gets it right and a good
track record with his contributions to the Mozilla CA vetting
process), I propose holding acti
09 at 4:42 PM, Kyle Hamilton wrote:
>> Hey, I'm just trying to figure out what the current algorithms that
>> Firefox supports are? Specifically, I'm trying to figure out what
>> hash algorithms, but the symmetric and asymmetric algorithms would be
>> useful as w
Hey, I'm just trying to figure out what the current algorithms that
Firefox supports are? Specifically, I'm trying to figure out what
hash algorithms, but the symmetric and asymmetric algorithms would be
useful as well.
Is there a document on this, that is regularly updated?
-Kyle H
--
dev-tech-
I second this motion, no objections.
-Kyle H
On Tue, Mar 10, 2009 at 10:48 AM, Kathleen Wilson
wrote:
>> are we planning to move the discussions of accepting CAs into the root
>> list over to the other list? I think that dev-security-policy is going now?
>
> OK. If no one objects, I will post
On Mon, Mar 9, 2009 at 1:51 PM, wrote:
> Summary of Information Gathered and Verified:
>
> https://bugzilla.mozilla.org/attachment.cgi?id=362354
>
> Some quick comments regarding noteworthy points:
>
> * The TC TrustCenter Class 1 CA root has four internally-operated
> subordinate CAs which issue
On Tue, Mar 3, 2009 at 1:35 PM, wrote:
> Email: CPS section 5.2.6 specifies the controls for applications for
> the Certigna ID certificates. It says that in addition to verifying
> the identity of the applicant, they check the email address as follows
> as per the supplied translation:
> “On le
First, Microsoft has already become a CA (multiple times over), and
they arguably do more things related to maintaining the
trustworthiness of the PKI than Mozilla does.
However, I believe that spamming is reprehensible. I also believe
that the only reason that spammers actually spam is because o
The Unicode standard actually cross-references each character and
visually-indistinct glyph. It might be useful to go through it (I'm
away from my hardcopy of the Unicode 5.0 Standard at the moment, else
I'd look).
-Kyle H
On Fri, Feb 27, 2009 at 2:15 AM, Jean-Marc Desperrier
wrote:
> Until a b
On Thu, Feb 26, 2009 at 7:04 PM, Nelson B Bolyard wrote:
> PEM's only real value is that it allows data to be copied and pasted
> into and out of text documents. The base64 content is no more
> enlightening, and IMO is significantly less informative, than the
> binary DER. PEM encoding adds a MI
ugh. I have to rely on external utilities to form a pipeline into an
NSS utility that it'll actually use -- and then, not be able to use
the metadata discarded by grep -v to verify that what was decoded was
what was actually expected?
-Kyle H
2009/2/26 Nelson B Bolyard :
> Kyle Hamilt
2009/2/26 Eddy Nigg :
> On 02/26/2009 04:18 PM, stefan.claes...@gmail.com:
>>
>> The CRL that you have problems with are generated manually trough
>> our offline CA. (RSA Certificate Manager) When generating manually you
>> just copy
>> the crl into notepad and save it as crl.
>>
>
> It's very easy
1 - 100 of 369 matches
Mail list logo
