Ping?
On Thu, Sep 24, 2015 at 10:18 AM, helpcrypto helpcrypto <
helpcry...@gmail.com> wrote:
> Hi
>
>
> Iceweasel/Firefox 38 seem to bundle:
>
>
>- DigiCert Assured ID Root CA with serialnumber 0C E7 E0 E5 17 D8 46
>FE 8F E5 60 FC 1B F0 30 39
>- TEREN
On Wed, Oct 7, 2015 at 7:45 PM, wrote:
> Maybe my googling skills are weak, but I found no information on how to
> get NSS to use keys from the Windows keystore. In the end, I decided it's
> probably a violation of the NSS paradigm anyway. It seems the intent is to
> use the NSS database as the s
Hi Merlin
Google is full of references and examples if you look for something like
"java NSS"
Anyhow, to use a certificate stores on Windows Keystore you have to use
MSCAPI provider ("How to java mscapi")
If you want to use a certificate stored on NSS (Firefox/Thunderbird) or a
pkcs#11 token, the
Julien: you and me have "at the end" the same problem.
Java Web applets are passing away and we are looking for alternatives.
If you are just talking about "scanning", there 3 options AFAIK to do that:
- From web invoke 127.0.0.1:port application(service) which listens on
port X and do all the
On Tue, Sep 29, 2015 at 2:26 AM, Robert Relyea wrote:
> On 09/25/2015 01:36 AM, helpcrypto helpcrypto wrote:
>
>> Hi all
>>
>>
>> I hope you can find a solution for my problem, cause I can't. (And perhaps
>> it's impossible)
>>
>>
>>
d to write another Java plug-in ?
>
> I certainly need Java in the browser, for other reasons (running a scanner
> applet to use with my bank).
> Julien
We also use an applet for that, but it's another pal problem :P
On 9/25/2015 09:13, Erwann Abalea wrote:
>
>> Le vend
On Fri, Sep 25, 2015 at 3:47 PM, Ludovic Rousseau <
ludovic.rouss...@gmail.com> wrote:
> Hello,
>
> 2015-09-25 14:45 GMT+02:00 helpcrypto helpcrypto :
> > But we still have the issue with the data sent from server. eg: server
> sent
> > "sign these 10 docu
On Fri, Sep 25, 2015 at 11:15 AM, Andreas Schwier <
andreas.schwier...@cardcontact.de> wrote:
> Hi,
>
> you mention a common problem with PIN authentication and smart cards: To
> keep the PIN protected on the path between the PIN entry and chip must
> be protected.
>
> There are two alternatives:
On Fri, Sep 25, 2015 at 11:21 AM, Dirk-Willem van Gulik <
di...@webweaving.org> wrote:
> On 25 Sep 2015, at 10:36, helpcrypto helpcrypto
> wrote:
>
> > I hope you can find a solution for my problem, cause I can't. (And
> perhaps it's impossible)
>
> >
On Fri, Sep 25, 2015 at 11:52 AM, Erwann Abalea wrote:
> Bonjour,
>
> Le vendredi 25 septembre 2015 10:36:53 UTC+2, helpcrypto helpcrypto a
> écrit :
> > I hope you can find a solution for my problem, cause I can't. (And
> perhaps
> > it's impossible)
>
Hi all
I hope you can find a solution for my problem, cause I can't. (And perhaps
it's impossible)
Based on my knowledge of PKCS#11 standard, the spec is exposed to a MITM
attack that steals the PIN when an application invokes C_Login against a
PK#11 library.
While using CryptoAPI it's the sy
Hi
Iceweasel/Firefox 38 seem to bundle:
- DigiCert Assured ID Root CA with serialnumber 0C E7 E0 E5 17 D8 46 FE
8F E5 60 FC 1B F0 30 39
- TERENA SSL CA 3 with 08 70 BC C5 AF 3F DB 95 9A 91 CB 6A EE EF E4 65
None of them seem to appear on:
https://mozillacaprogram.secure.force.com/CA/
On Thu, Sep 17, 2015 at 8:59 PM, Rob Stradling
wrote:
> The existence of this bug...
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1191414
> "gather telemetry on usage of "
>
> ...would seem to suggest that Mozilla "haven't decided anything yet".
>
IMHO that's not a good approach. A coomon us
Hi all
As previously raised on this list, there's a open wardiscussion about
removing [1]
Some people, like Sir Tim Berners-Lee doesn't seem to agree with that,
hence another thread is taking place at [2]
For Google, it seems the decision has been made, nothing is going to
change, and could d
ping?
On Tue, Mar 17, 2015 at 5:15 PM, helpcrypto helpcrypto wrote:
> If I understand correctly, dropping will be "at browser level", ie: end
> users won't be capable of "using" their legacy certificates.
> So far, only SSL certificates < 2048 were sh
If I understand correctly, dropping will be "at browser level", ie: end
users won't be capable of "using" their legacy certificates.
So far, only SSL certificates < 2048 were shown as unsafe in Chrome. Am I
right?
Chrome [1] plans dropping 1024 by the end of the year. Firefox [2] is goind
to drop
Hi.
Making some test this week I have made several requests using
Firefox.
AFAIK, each stores a (persistent) keypair which will be used to
issue new certificates later.
I assume this keys are stored on key3.db
Is there any mechanisms to list how many keypairs are present on my
profile? Is the
On Mon, Feb 2, 2015 at 1:17 PM, Kai Engert wrote:
> > exported:
> > OS_TARGET=WINNT
>
> Please use OS_TARGET=WIN95
>
> That's the newer and supported configuration.
>
> LOL
hahahahahahahahahahahahahahaha
I love you kaie ;)
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https:
IIUC what Bob/Christina said, it's not possible yet.
Personally, i have no idea :P
On Thu, Jan 15, 2015 at 9:37 PM, wrote:
> Ahh, ok fine.
>
> But are you able to tell me if it's possible to create TLS 1.1 and 1.2
> sockets with JSS.
>
> Thanks a bunch.
> --
> dev-tech-crypto mailing list
> dev-
On Thu, Jan 15, 2015 at 2:55 PM, deepreel wrote:
> helpcrypto:
>
> Thank you great code samples...but...I'm stuck with using JSS and the
>
> org.mozilla.jss.ssl hierarchy.
>
> Your snippits are using either JSSE or apache libraries no?
>
> Unless I'm missing something obvious.
>
Probably you are
#x27;t seem to see anyway other than these methods to control
> protocols.
>
> Sincerely
>
>
>
> On Tuesday, 13 January 2015 13:14:05 UTC-5, helpcrypto helpcrypto wrote:
> > On Mon, Jan 12, 2015 at 11:10 PM, wrote:
> >
> > > Folks,
> > >
> &g
Didn't, just telling you what's in there.
I just need/use personal, hence softokn is enough for me.
On Wed, Jan 14, 2015 at 11:58 PM, Opa114 wrote:
> > - People
> >
> (personal without related private key)
>
> --> how did you get this?
> --
> dev-tech-crypto mailing list
> dev-tech-crypto@lists
Hi Matthias
As stated in [1] you should use nssModule=trustanchors
I have tried:
String config = "name = NSS\r\n nssLibraryDirectory = "+ tmpDirName
+ "\r\n nssSecmodDirectory = " + profile.replace("\\", "/") + "\r\n
nssDbMode = readOnly\r\n nssModule = trustanchors\r\n attributes =
comp
On Tue, Jan 13, 2015 at 7:18 PM, Opa114 wrote:
> Am Dienstag, 13. Januar 2015 19:04:28 UTC+1 schrieb helpcrypto helpcrypto:
> > Thats your mistake:
> >
> > Using softokn+slot=2 will access your personal/installed certificates,
> not
> > CA/trusted ones.
> >
On Mon, Jan 12, 2015 at 11:10 PM, wrote:
> Folks,
>
> Sorry for the totally newbie question but I've hunted high and low.
>
> I am supporting some Java code that uses JSS4, NSS to provide SSL Server
> side services.
>
> In response to Poodle I've been looking this code and was able to Enable
> TL
Thats your mistake:
Using softokn+slot=2 will access your personal/installed certificates, not
CA/trusted ones.
Perhaps slot 1 will do, but I have never tried.
On Tue, Jan 13, 2015 at 5:19 PM, Opa114 wrote:
> i mean the Server and CA not only own Certificates
> --
> dev-tech-crypto mailing li
This one is working: http://pastebin.com/qqPf4cvM
Regards
On Tue, Jan 13, 2015 at 12:29 PM, Opa114 wrote:
> Am Dienstag, 13. Januar 2015 12:14:28 UTC+1 schrieb helpcrypto helpcrypto:
> > On Tue, Jan 13, 2015 at 12:00 PM, Opa114 wrote:
> >
> > > thanks again. i have co
On Tue, Jan 13, 2015 at 12:00 PM, Opa114 wrote:
> thanks again. i have compared my code woth your peace of code you posted
> and i have the same. But i still get the Error: CKR_DEVICE_ERROR
>
CKR_DEVICE_ERROR is an error on the cryptoki itself, as stated by PKCS#11
standard.
I have found several
efix='' flags=readOnly\"\r\n";
path is where softkn3 is located
profile is the path where .db files are located.
This should work. In the event of problems, check:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html
There are a lot of resources on google
This is the dependency lack ;)
This is what I have, probably some have changed:
String[] nssDeps = {
//WARNING: Order MATTERS!
System.mapLibraryName("msvcr100"),
System.mapLibraryName("msvcp100"),
System.mapLibraryName("mozglue"),
In fact, to be more funny, JRE8 has another bug (IIRC on XP) where spaces '
' aren't neither allowed!
Regards.
On Mon, Jan 12, 2015 at 2:34 PM, helpcrypto helpcrypto wrote:
> To sum up: It's a Java bug. Consider copying softkn and dependencies to
> %temp%
>
To sum up: It's a Java bug. Consider copying softkn and dependencies to
%temp%
It only accepts "elemental characters" ie: not '(', neither 'á'...
On Mon, Jan 12, 2015 at 2:25 PM, Opa114 wrote:
> hi again,
>
> yeah i googled the last days very much about this topic. so i found out
> the best sol
Hi
If you want to work with cert8, even from Java, consider using certutil
(via running a command).
If you want to sing with a locally-installed X509 (keys are stored on
key3.db), I still consider using SunPKCS#11 for attacking softkn3 your best
option.
Regards
On Sat, Jan 10, 2015 at 2:46 AM
I'm parsing secmod.db, not cert8.db.
If you plan to parse cert8.db I suggest you have a look on certutil source.
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_certutil
Regards
On Fri, Jan 9, 2015 at 12:04 PM, Opa114 wrote:
> could you give me a little exam
On Thu, Jan 8, 2015 at 11:19 PM, Robert Relyea wrote:
> On 12/11/2014 12:33 AM, helpcrypto helpcrypto wrote:
>
>> Hi again, sorry for delay.
>>
>> Yes, you can (SHOULD) use SunPKCS#11 to access directly the
>> libraries/modules.
>> You can do it two ways:
Hi again, sorry for delay.
Yes, you can (SHOULD) use SunPKCS#11 to access directly the
libraries/modules.
You can do it two ways:
- attack libraries directly
- parse (legacy) secmod.db on Firefox profile to list modules/libraries.
Have a look on
http://stackoverflow.com/questions/2873581/is-i
Haven't tested yet, but you could file a bug, altough I dont know if it
will be accepted.
If you have both accounts on your profile, you "are" the 2 people, hence
there's no reason to send you a crypted message to yourself.
I would accept the bug, but will give a 0.001 priority...
A workaround
Using Java applets is possible trough SunPKCS11 class [
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunPKCS11Provider
].
I dont recommend you JSS (In my experience, it sucks)
You can also use plugins, but AFAIK the API is limited to some functions.
On Tue,
For such a tricky thing, although I dont like it, you could use a "proxy"
library, like PKCS11SPY which forwards every call to your library, but
sends the PIN when needed / at first use if your token is present (to avoid
locking other cards).
If you need such behaviour, why just dont use NSS keyst
As NSS doesnt expose that function (IMHO it Should), couldnt you use
PK11_Read/WriteRawAttribute? (Apart this should being fixed or not)
On Tue, Oct 7, 2014 at 10:20 AM, helpcrypto helpcrypto wrote:
> On Tue, Oct 7, 2014 at 10:02 AM, Sean Leonard
> wrote:
>
>> Thanks, but the ne
ncoded string.
>
Oh, I see. Then you could use C_G/SetAttributeValue with CKA_LABEL, isnt it?
> Sean
>
> On 10/7/2014 12:38 AM, helpcrypto helpcrypto wrote:
>
>> IIRC, nicknames aren't part of PKCS#11 standard, so i would suggest
>> instead
>> using CKA_ID (h
IIRC, nicknames aren't part of PKCS#11 standard, so i would suggest instead
using CKA_ID (hash of public key; certificate, public and private keys have
the same)
On Tue, Oct 7, 2014 at 9:15 AM, Sean Leonard
wrote:
> Hi Mozilla/Firefox crypto people:
>
> In Firefox 33 (and generally Mozilla toolk
Hi Martin.
> https://github.com/open-eid/chrome-token-signing
>
Consireding Chrome is droping NPAPI and NaCi doesnt allow "privileged
execution", will this run in the coming future?
I found it very interesting. Probably it has some other disadvantages (like
running on iOS/Android), but I dont wa
Hi Martin.
Sorry for dealy, was on holidays!
On Fri, Aug 1, 2014 at 5:49 PM, Martin Paljak
wrote:
> There is a workshop happening where webcrypto smart card access is
> being discussed:
>
> http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/Overview.html
>
I contacted with people from G
Ping?
On Fri, Jul 11, 2014 at 8:46 AM, helpcrypto helpcrypto wrote:
> Hi all.
>
>
> Sorry for resurrecting zombies (again). And sorry if this has been
> answered already (Too much work confuse my mind).
>
>
> As I have said before, in our organization we use a Java Appl
Hi all.
Sorry for resurrecting zombies (again). And sorry if this has been answered
already (Too much work confuse my mind).
As I have said before, in our organization we use a Java Applet to discover
and use smartcards (vía PKCS#11) to be able to do batch document signage on
web pages with our
On Fri, Jun 27, 2014 at 6:32 PM, Brian Smith wrote:
Hi
> The issue is that the WebCrypto API uses a totally separate keystore from
> the X.509 client certificate keystore (if it doesn't, it should be), and
> the stuff that Red Hat does is about client certificates. AFAICT, WebCrypto
> doesn't
Our pkcs#11 is working properly for that scenario (we dont digests, just
decrypt, so the key is provided by thunderbird). I suggest u trying opensc
pkcs11-spy and check logfiles
On Mon, Mar 10, 2014 at 8:48 AM, Leon Brits wrote:
> Hi Robert,
>
> Thanks for the reply.
>
> > ...I'm assuming we ar
Probably im lost in the translation.
Some of our users still have 1024 RSA certificates which they use for HTTPS
client auth or signing documents.
Are you suggesting to stop supporting/allowing this certificates?
If yes, i supose you will change low level to 2048 on , isnt it?
On Sun, Dec 15, 2
On Mon, Oct 28, 2013 at 2:03 PM, wrote:
> On Monday, October 28, 2013 1:50:42 PM UTC+1, helpcrypto helpcrypto wrote:
> > Something similar to Webcrypto should work, but having user keys in mind.
>
> AFAIK, WebCrypto[1] is the replacement for the current window.crypto (and
>
*Hi all*
Before starting, I'll to apologize for any incorrect grammar or typo I
could do. I'm not a native and I'm trying my best.
Altough I think most of us agree that *"The era of Java Applets" must end*,
after asking a few questions to WebCrypto WG, seems they dont share this
tought/they don
On Mon, Aug 26, 2013 at 7:11 PM, raj wrote:
> Hello helpcrypto,
>
> Thank you so much for your response. If we use the SunPKCS11, is NSS
> library
> the one doing encryption/decryption stuff??
>
No idea.
Just use NSS to access installed certificates to sign using PKCS#11
interface.
But u can con
In the past we used JSS but at the end we have move to SunPKCS11 provider.
Consider using it as stated in
http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html#NSS
My two cents.
On Thu, Aug 22, 2013 at 9:12 PM, raj wrote:
> Need help in doing the NSS+JSS in FIPS mode for
+1!
On Sun, Aug 25, 2013 at 3:02 AM, Kyle Hamilton wrote:
> Hi,
>
> I'm finding myself in a situation where I need to use the certificates and
> keys stored in my standard NSS profile in other applications.
>
> My initial, naïve idea was that NSS itself is a PKCS#11 module.
> Unfortunately, thi
I compiled nss+nspr+modutil+certutil 32 bits vs2009 last week. Didnt
compile 64 bits cause Firefox 64 bits is no longer supported (IIRC).
On Sat, Aug 24, 2013 at 2:21 PM, wrote:
> I searched the net for 64bit build but didn't find anything, I don't have
> enough time to build it myself so Can y
nvm, already built.
btw, is normal "certutil -L -d " not to list/echo anything?
On Thu, Aug 22, 2013 at 9:50 AM, helpcrypto helpcrypto wrote:
> Hi.
>
>
> Does anyone in here have a recently compiled version of modutil, certutil
> and their dependencies, for windows
Hi.
Does anyone in here have a recently compiled version of modutil, certutil
and their dependencies, for windows platform? (better if both: 32 bits and
64 bits).
Just to save time and head hitting against the wall...
Thanks in advance!
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozi
Hi Shivam.
Look for a little bugs, like
https://bugzilla.mozilla.org/show_bug.cgi?id=670895 and start to get use
with NSS internals.
Also, check https://developer.mozilla.org/en/docs/NSS
And dont hesitate to ask ;)
On Thu, Jul 18, 2013 at 9:37 AM, Shivam Agarwal
wrote:
> Want to contribute to
h as for a smartcard, you won't be able to access that
> > smartcard through the SunPKCS11-NSS bridge. * If you use JSS, you can
> > easily get lists of modules and tokens that are configured in the NSS DB
> > and freely access all of it.
>
>
>
> On Fri, Apr 1
On Tue, Apr 16, 2013 at 7:27 PM, Jaime Hablutzel Egoavil <
hablutz...@gmail.com> wrote:
> Are you talking about PKCS11 bridge for a standard PKCS#11 module?. I was
> thinking in accesing smartcards configured in NSS database, so I don't have
> to deal with the location of the dll module. I'm sorry
On Tue, Apr 16, 2013 at 8:01 PM, Robert Relyea wrote:
> On 04/15/2013 02:34 PM, Matt Yakel wrote:
>
>> Hi all, Is the "certutil" a linux tool only? I am needing to deploy Local
>> Security Certs to our work network (windows).
>>
>
> No, it can be built for pretty much any NSS supported platform.
> implementation
> >is almost useless. Since these problems lie deep in the NSS design and
> >implementation, there is no clear timeframe for fixing them.
> Meanwhile, the
> >org.mozilla.jss.crypto.CryptoStore class can be used for some of this
> >functionality.
>
Yes, we have sm
On Thu, Apr 11, 2013 at 11:59 PM, Jaime Hablutzel Egoavil <
hablutz...@gmail.com> wrote:
> Hi, I have a hardware token accesible via PKCS#11 which is storing private
> keys and certificate like this :
>
> certificate A, CKA_ID: 1234
> certificate B, CKA_ID: 1234
>
Hi Jaime.
In our case CKA_ID=has
On Mon, Apr 8, 2013 at 12:10 PM, Anders Rundgren
wrote:
> This seems to be out of scope:
> http://lists.w3.org/Archives/Public/public-webcrypto/2013Apr/0072.html
Hi Anders.
As it scopes signning:
http://www.w3.org/TR/WebCryptoAPI/#Crypto-method-sign, I suppose you
mean smartcards are out of sco
>> More generally, I would like to remove all the Mozilla-proprietary methods
>> and properties from window.crypto; i.e. all the
>> ones athttps://developer.mozilla.org/en-US/docs/JavaScript_crypto. Some of
>> them are actually pretty problematic.
>> Are there any worth keeping?
>>
> signText() i
> In my opinion this is a perfect application for server-based signatures.
> What's needed is an authorization signature where a responsible person
> attests that he/she have verified the correctness of the input data
> that I guess is presented in web format.
>
> The attestation would be stored in
When we have to generate signed copies for a lot of documents (eg:
student course certificates), we use our applet the following way:
- step 1: authenticate and retrieve certificate to use
- setp 2 (n times): sign using selected certificate
Of course, there are risks of signing undesired docume
BTW, what is this?
http://html5.creation.net/webcrypto-api/
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
So, to sum up:
Will it be possible, using Web-Crypto API, to sign using a Pkcs#11
key/cert? What about MSCAPI key/cert?
Will it be possible, using Web-Crypto API, to sign in batch-mode?
Thanks for answers!
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.o
>> ie: javascript invoke getKeyFromPKCS11("modulename") and "#1" is
>> returned, but can be used.
>
> How do you envision that this access should be controlled?
> Here imagine that you have dozens of keys, not just a single key in a smart
> card.
The same way as SSL client authentication: with a
> I think we all mean "key handles" instead of "plaintext key material"
> but the problem is the same - keys get exposed "naked" and can be
> (ab)used for whatever.
I mean, apart from malicious sign operations, i dont see any risk on
javascript "seeing" a key handle. Is there any?
If the only ris
> The problem with this approach is that you expose keys to arbitrary javascript
> code which is rather different to for example TLS-client-certificate
> authentication which only exposes a high-level mechanism as well as a
> [reasonably] secure credential filtering scheme and user GUI.
clear as w
>>> I do understand the frustration you must feel in trying to get browsers
>> to work closely with your national ID/Cert system. There are many such
>> systems, and trying to create an API that works with your specific
>> requirements, hardware and regulations is very difficult. The WG notes
>> th
Hi David.
First: Thank you (all) for your hard work on this.
Second: Sorry for any mistake, typo or pocahontas speak.
IMHO we NEED this, and Mozilla NEED it also.
In our case, we are currently using a Java applet to make digital
signature of documents in many formats (XMLDsig, XAdES, PAdES...)
u
https://www.google.com/search?q=c%2B%2B+create+self+signed+certificate
On Sat, Feb 2, 2013 at 8:30 PM, James Burton
wrote:
> Hello
>
> I want to create a selfsign certificate in c++ but i don't know were to start
> and
> i would like some help if you could make a example application to show me h
On Thu, Jan 24, 2013 at 3:44 PM, wrote:
> Hello,
>
> I need to add/remove certificates in my NSS db from certdata.txt (obtained
> from
> http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt)
> I was partially able to parse using the go script (it threw errors at
Hi Kyle, happy new year.
I agree with you -users should learn-, but "showing and skipping"
still happens (I love to think each day less).
Instead of warning BEFORE openning page/conection, what about opening
in a "safe mode" and a warning toolbar (similar to blocked popup)
alerting about all this?
> As I understand it, PKCS#11 token support was actually *removed* from
> the Keychain in the latest versions of OSX, and is now a third-party
> add-on?
IIRC: Apple said smartcard services are not going to be suportted by
them, but the community (macosforge).
Apple didnt provide a supported altern
Let me ask to make it clear:
You are asking for: (paths are just for example purposes)
a) To set up a $HOME/nss to store user certs + trusted by the user
(actually more/less what already have). Doesnt Chrome use something
like that already?
b) To set up a /usr/nss to store system-wide certs and
IMVVHO, Firefox/Mozilla should work like Chrome: using the
keystore of each OS. ie: MSKeystore on Windows, Keychain on OSX and (a
shared) NSS on Linux.
Similar for Android or other systems.
Probably (surely) this was discussed somewhere and some time ago, but
maybe the time to change has come
Probably i missed a know bug but:
ldd /usr/lib/firefox/libsoftokn3.so shows
libmozsqlite3.so => not found
Can you confirm this? It is a bug, isnt it?
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Yesterday thoughts:
Some policies say "Before signing, a preview of what is going to be
signed must be shown to the user".
If we use something like:
signedData=sign(key,dataToBeSigned)
this could show, for example, a pdf preview of what is being signed.
I love that idea, but what if i actua
> And what about applets without JSS, using Secmod [1] or the sunpkcs11
> [2] provider?
>
> [1] http://www.docjar.com/docs/api/sun/security/pkcs11/Secmod.html
> [2] http://www.docjar.com/docs/api/sun/security/pkcs11/SunPKCS11.html
Any comments?
--
dev-tech-crypto mailing list
dev-tech-crypto@lis
+2!
On Sat, Apr 28, 2012 at 8:13 PM, Robert Townley wrote:
> On Friday, February 17, 2012 11:07:47 AM UTC-6, Anders Rundgren wrote:
>> After looking into several similar solutions including Gnome Keyring
>> I wonder if it is not time for NSS transcending into a service rather
>> than a library ru
> If you want the signature + document to be legally sustainable and/or
> user-interpretable, then plaintext signatures with embedded public keys are
> the way to go. You can base64-encode the public keys :) Some further
> development of this theme is at
> http://iang.org/papers/ricardian_contrac
> Supporting smart cards in the spec and first implementations is not a goal,
> however, I think a lot of the base work we are doing will help in a future
> iteration. For instance, I hope that this Gecko 'internal API' will help
> extension and browser developers to experiment with smartcards,
> for signWithUserConfirmation
> as I know, that requirement was raised because of regulations of some
> countries.
> it is UI specific function and need some fixed UI (already
> mentioned spanish DNIe)
> I think we need some control for that with CSS style
> the very important concept is "the cont
Just some commets you could ignore :P
As said before, i dont know if you have considered smartcard.
These, (as discussed in
https://groups.google.com/forum/#!topic/mozilla.dev.tech.crypto/hNS32Zhz9gw)
could have some other needs. IMHO, a lot of discuss yet to come.
I have experienced some issues
> Helpcrypto, a possible *long-term* solution to this is that the requester
> indicates such preferences. So if the requester says "external card"
> (for example) the dialog would not need the user to select. If there
> is no card present, it would ask the user to insert a suitable card.
> This i
After reading your three mails, i have only one thing to say: Clear as water.
Thank a lot for your patience and effort on explaining this for
short-minded like me.
Thanks a lot, REALLY, for your long, detailed and clear answer.
Of course, thanks a lot to Anders (which also suffered me) and others,
> Dear HelpCrypto, I'm not pushing my protocol. I just don't think
> that web-pages should be able to directly address *any* device
> but the screen.
If that were true, many things (like JSS) should dissapear from MDN.
Dont missunderstand. Im not complainning you or your protocol.
> If you take
> My "solution" to this is to treat all PKI-using applications as complete
> applications running in trusted code. W3C tries to do something different,
> we'll see how that pans out...
Ok Anders, but you are -again- talking much about your protocol, not
answering my question (or at least, i didnt
> I can see where this difficulty is, I've worked on smart cards and it is ...
> perverse. I'll see if I can explain it. As an aside I have no idea what
> the NSS people think, I'm not speaking for them, and they don't typically
> like what I say :) Apologies out of the way, onwards!
This sound
> (to me, that question makes no sense. users can't talk to smart cards.
> Only smart card readers and programs can. So what smart card reader and
> what program is doing this? A dumb smart card reader and a browser,
> following Javascript instructions from a website? That'd be game over...)
> My scenario is a billion+ community who haven't a clue what a CSP
> is and never will. They may not even know what a certificate is!
>
> A CSP-solution doesn't give the issuer any information about where and
> how a key was generated. The same goes for NSS, JCE, and PKCS #11.
Developer *can* k
On Wed, Apr 18, 2012 at 10:03 AM, Anders Rundgren
wrote:
> Dear "helpcrypto", now it became a little bit messy because I'm talking about
> principles while you are talking about specific interfaces like NSS, and PKCS
> #11.
Ok. Rather than discussing technical or theorical point of views, i
thin
> Although E2ES (End-to-End-Security with respect to the *container*) is
> actually my line of work (http://webpki.org/papers/keygen2/sks-api-arch.pdf),
> I don't understand why you would use it during signing or authentication.
> Yes, TLS-client-cert-authentication is also E2ES but it works "one l
> It was for example suggested that PKCS #11 should be exposed as a
> JavaScript object. I think that is downright ridiculous idea,
> almost as bad as: http://www.sconnect.com/FAQ/index.html
Let me expose two user-cases where i think that will be helpfull (and
maybe the only option).
-Web page t
So, do you (we) ALL agree NSS should be modified to hook with system
keystores like Windows or OSX? (Linux has no default system keystore,
so there will be no changes by now)
Maybe wtc has something to say against this...
Are mozilla (we) going to see (wait) whats is said on:
http://www.w3.org/201
> I would not build a scheme based on NSS because NSS is not a prerequisite
> unless you force people to use Firefox.
We arent forcing. We already support Microsoft, OSX and Google
browsers, and (trying) Firefox too.
> Hooking Mozilla/NSS into native APIs like CryptoAPI is a much more important
1 - 100 of 142 matches
Mail list logo
