Re: Build error for NSS 3.17.4 (Windows 7)--needs to be addressed in NSPR

On 2/2/2015 6:26 AM, Kai Engert wrote: On Mon, 2015-02-02 at 13:21 +0100, helpcrypto helpcrypto wrote: On Mon, Feb 2, 2015 at 1:17 PM, Kai Engert wrote: exported: OS_TARGET=WINNT Please use OS_TARGET=WIN95 That's the newer and supported configuration. LOL hahahahahahahahahahahahahahaha

Build error for NSS 3.17.4 (Windows 7)--needs to be addressed in NSPR

I'm trying to build NSS 3.17.4 on Windows 7 with the latest MozillaBuild. Although I was able to work around a build error, it would be appreciated if the NSS folks get the NSPR folks to fix the problem. Used: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_17_4_RTM/src/ ns

Re: Request restoration of PK11_SetPublicKeyNickname and PK11_SetPrivateKeyNickname

3 AM, helpcrypto helpcrypto wrote: As NSS doesnt expose that function (IMHO it Should), couldnt you use PK11_Read/WriteRawAttribute? (Apart this should being fixed or not) On Tue, Oct 7, 2014 at 10:20 AM, helpcrypto helpcrypto wrote: On Tue, Oct 7, 2014 at 10:02 AM, Sean Leonard wrote: Thanks,

Re: Request restoration of PK11_SetPublicKeyNickname and PK11_SetPrivateKeyNickname

On 10/7/2014 1:20 AM, helpcrypto helpcrypto wrote: On Tue, Oct 7, 2014 at 10:02 AM, Sean Leonard wrote: Thanks, but the need is to change the nickname. It is displayed in Mozilla apps for various purposes. The nickname is also known as the "friendly name" on other platforms

Re: Request restoration of PK11_SetPublicKeyNickname and PK11_SetPrivateKeyNickname

ren't part of PKCS#11 standard, so i would suggest instead using CKA_ID (hash of public key; certificate, public and private keys have the same) On Tue, Oct 7, 2014 at 9:15 AM, Sean Leonard wrote: Hi Mozilla/Firefox crypto people: In Firefox 33 (and generally Mozilla toolkit apps, including

Request restoration of PK11_SetPublicKeyNickname and PK11_SetPrivateKeyNickname

Hi Mozilla/Firefox crypto people: In Firefox 33 (and generally Mozilla toolkit apps, including Thunderbird) on Windows, it appears that nss3.dll is folded and only a subset of functions are exposed. See . Among the functions

Build error for NSS 3.15.3 (Windows)

Hi NSS people: I am trying to build NSS 3.15.3 for Windows using the bundle on ftp.mozilla.org (https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_3_RTM/src/). I am getting a build problem: nsinstall -m 444 templates.c ../../../dist/private/nss make[2]: Leaving directory

Re: Removal of generateCRMFRequest

On 10/9/2013 4:36 PM, Nathan Kinder wrote: I'm all for a standardized replacement, but it seems wrong to rip out something that has been a nice functional feature that people have come to rely on for many years before a replacement is available. Also (in support of preserving, NOT removing,

Re: Removal of generateCRMFRequest

On 9/27/2013 5:51 PM, Robert Relyea wrote: I don't have a problem with going for an industry standard way of doing all of these things, but it's certainly pretty presumptuous to remove these features without supplying the industry standard replacements and time for them to filter through the in

Re: Removal of "Revocation Lists" feature (Options -> Advanced -> Revocation Lists)

Can't respond to everything at once, but let me at least try to pick of the easy ones: On 5/1/2013 4:44 PM, Brian Smith wrote: Sean Leonard wrote: Brian Smith wrote: The "Revocation Lists" feature allows a user to configure Firefox to poll the CAs server on a regular interv

Re: Removal of "Revocation Lists" feature (Options -> Advanced -> Revocation Lists)

Please, do not remove this important feature. On 4/30/2013 2:28 PM, Brian Smith wrote: Hi all, I propose we remove the "Revocation Lists" feature (Options -> Advanced -> Revocation Lists). Are there any objections? If so, please explain your objection. Please do not remove this feature. Ther

How to find all certificates by subject name?

Hi all, What is the best way with NSS to find all certificates that have the same subject name? The function CERT_FindCertByName expresses the right general idea, but it only returns one certificate at maximum. Internally, it calls NSSCryptoContext_FindBestCertificateBySubject, which calls

Re: Google about to fix the CRL download mechanism in Chrome

Without expressing my opinions on the wisdom of whatever Google is proposing... What Jean-Marc has described (and what the Google post also describes) is already covered by RFC 5280 in the concept of "indirect CRL", which you can see in Section 5. It is also worth pointing out that "indirect

Re: libpkix maintenance plan (was Re: What exactly are the benefits of libpkix over the old certificate path validation library?)

gnostics for the paths not taken. Ryan I ended up writing a lot of text in response to this post, so, I am breaking up the response into three mini-responses. Part I On 1/18/2012 4:23 PM, Brian Smith wrote: > Sean Leonard wrote: >> The most glaring problem however is t

Re: libpkix maintenance plan (was Re: What exactly are the benefits of libpkix over the old certificate path validation library?)

Part III On 1/18/2012 4:23 PM, Brian Smith wrote: Sean Leonard wrote: >> We do not currently use HTTP or LDAP certificate stores with respect >> to libpkix/the functionality that is exposed by CERT_PKIXVerifyCert. >> That being said, it is conceivable that others could use th

Re: libpkix maintenance plan (was Re: What exactly are the benefits of libpkix over the old certificate path validation library?)

Part II On 1/18/2012 4:23 PM, Brian Smith wrote: > Sean Leonard wrote: >> and no log information. > > Firefox has also been bitten by this and this is one of the things blocking the switch to libpkix as the default mechanism in Firefox. However, sometime soon I may just propose

Re: libpkix maintenance plan (was Re: What exactly are the benefits of libpkix over the old certificate path validation library?)

I ended up writing a lot of text in response to this post, so, I am breaking up the response into three mini-responses. Part I On 1/18/2012 4:23 PM, Brian Smith wrote: > Sean Leonard wrote: >> The most glaring problem however is that when validation fails, such >> as in the ca

Re: libpkix maintenance plan (was Re: What exactly are the benefits of libpkix over the old certificate path validation library?)

Hi All, I'm the lead developer of Gmail S/MIME, and its successor, Penango, which is bringing /end-to-end/ cross-platform S/MIME secure e-mail to webmail and web-based messaging everywhere. It seems that this thread has brought out its fair share or lurkers so I thought I would add some persp

Re: Restricting which CAs can issue certs for which hostnames

Looks like there is some discussion on mozilla.dev.security; I wanted to respond from more of an NSS point of view. On 8/30/2011 9:46 AM, Boris Zbarsky wrote: I was looking at our CA root list, and a lot of them seem like "specialist" CAs that would only issue certs for a limited range of hostn

Re: How to determine V8 vs. V9 DB at runtime

On 8/18/2011 10:32 AM, Robert Relyea wrote: On 08/17/2011 08:23 PM, Sean Leonard wrote: Is there a way to determine whether the NSS DB(s) are in V8 (aka sdb->sdb_type = SDB_LEGACY) versus in V9 (aka sdb->sdb_type = SDB_SQL) mode? Unfortunately, I don't believe that is surfaced a

How to determine V8 vs. V9 DB at runtime

Is there a way to determine whether the NSS DB(s) are in V8 (aka sdb->sdb_type = SDB_LEGACY) versus in V9 (aka sdb->sdb_type = SDB_SQL) mode? I am doing some research into setting certificate nicknames. The legacy DB (aka 'the DB that everybody uses because it is the default and it is very com

Re: Validating custom extended key usage (EKU) with NSS

On 8/15/2011 5:14 PM, Robert Relyea wrote: On 08/13/2011 12:30 PM, Sean Leonard wrote: On 7/29/2011 2:21 AM, Sean Leonard wrote: What is the procedure to validate an arbitrary extended key usage (EKU) with NSS? [...] Without refreshing my memory by looking at the code, I suspect your

Re: Validating custom extended key usage (EKU) with NSS

On 7/29/2011 2:21 AM, Sean Leonard wrote: What is the procedure to validate an arbitrary extended key usage (EKU) with NSS? Suppose that one has an application built on NSS, where certificates can be used if they have the extended key usage (EKU) 1.2.3.4.5.99. The API calls

Validating custom extended key usage (EKU) with NSS

What is the procedure to validate an arbitrary extended key usage (EKU) with NSS? Suppose that one has an application built on NSS, where certificates can be used if they have the extended key usage (EKU) 1.2.3.4.5.99. The API calls CERT_VerifyCertificate and CERT_PKIXVerifyCert expect a

Validating custom extended key usage (EKU) with NSS

What is the procedure to validate an arbitrary extended key usage (EKU) with NSS? Suppose that one has an application built on NSS, where certificates can be used if they have the extended key usage (EKU) 1.2.3.4.5.99. The API calls CERT_VerifyCertificate and CERT_PKIXVerifyCert expect a