Kai-Michael Thiele/Hamburg/Neuhaus/de ist außer Haus.

Ich werde ab 01.10.2016 nicht im Büro sein. Ich kehre zurück am 09.10.2016. Ich werde Ihre Nachricht nach meiner Rückkehr beantworten. In dringenden Fällen wenden Sie sich bitte an Claus Pauluhn. I'm out of my office at the moment. Your email will be answered after return. In urgent cases ple

Re: About 's future...

oesn't have telemetry on (blame me). Especially security aware people turn off telemetry. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

default cipher for S/MIME

HI! Mozilla Thunderbird and Seamonkey both choose triple-DES as default cipher for S/MIME messages although the S/MIME caps in a former message of the recipient contained AES256-CBC. Can these be influenced by a property? Or is this a NSA backdoor in the S/MIME standard? Ciao, Michael. -- dev

Re: Updates to the Server Side TLS guide

e to specify these curves in configurations, which isn't widely > supported in servers. This sounds very similar to the discussions on the IETF UTA mailing list. https://datatracker.ietf.org/doc/draft-ietf-uta-tls-bcp/ Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: libnss x86 DRNG

This is a reasonable use.. This can simply be implemented in the primitive where /dev/random is used. It would only need a HW check during initialization to enable using the DRNG or leave it as is in the event HW does not support it.. Michael Demeter Staff Software Engineer Open Source

Re: libnss x86 DRNG

Thanks for the response.. See inline comments On Oct 1, 2012, at 5:22 PM, Ryan Sleevi wrote: > Hi Michael, > > There is definite interest in being able to take advantage of hardware > intrinsics - whether they be the DRNG or the AESNI instructions. For > example, NSS just

libnss x86 DRNG

/dev/random can be used directly. What I would like to do is to implement native DRNG functions to replace the current functions if the HW is available..So I would like some input as to how you would like to see this implemented or if there is any interest at all.. Thanks Michael Demeter Staff

no NSPR? (Re: NSS 3.13.1 released)

version for a given nss release documented? regards, michael [1] http://opengrok.libreoffice.org/xref/core/nss/makefile.mk -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Announcing an experimental public S/MIME keyserver

the e-mail? With which MIME-type? And how does the MUA get this then? Because it's the S/MIME-enabled MUA which extracts e.g. the S/MIME capabilities. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Announcing an experimental public S/MIME keyserver

-mail footer this information is also disclosed. If not already there you should put a strong hint on the web page that the signed S/MIME messages should not contain any private data except e-mail address. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https

Re: Announcing an experimental public S/MIME keyserver

Michael Ströder wrote: Kai Engert wrote: In short, go to http://kuix.de/smime-keyserver/ and give it a try. I proposed such an idea in 2001 but never got the time to implement it. Glad you did! http://www.terena.org/activities/tf-lsd/docs/tf-lsd-4-tpp-certcollect.ppt Another short note

Re: Announcing an experimental public S/MIME keyserver

demo server list for web2ldap: http://web2ldap.de/demo.html Also a link like href="mailto:smime-keyser...@kuix.de?BODY=allow-smime-keyserver-inclusion";>smime-keyser...@kuix.de on the page above would be easier to use. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto

keygen & CRMF on Firefox for mobile

This flavor of firefox 4 Useragent string: Mozilla/5.0 (Android; Linux armv7l; rv:2.1.1) Gecko/ Firefox/4.0.2pre Fennec/4.0.1 (which can be installed on Android phones & tablets) seems to lack a functioning keygen magic tag, or the crypto object. The browser doesn't seem to react well at all even t

Re: certutil -D corrupting NSS database...

Hey, I've been massively distracted in other projects so I'm way behind in this issue... On Sat, 2011-02-12 at 22:33 -0800, Nelson B Bolyard wrote: > On 2011-01-25 13:07 PDT, Michael H. Warfield wrote: > > > [...] Instead of having a cert in the > > database

{Filename?} Re: certutil -D corrupting NSS database...

Warning: This message has had one or more attachments removed Warning: (gorgon10.wittsend.com.p12). Warning: Please read the "WittsEnd-Attachment-Warning.txt" attachment(s) for more information. Hey hey... On Sun, 2011-01-30 at 04:12 -0800, Nelson B Bolyard wrote: > Michael, &

Re: S/MIME encrypted e-mails

; Unfortunately, the > software I am using (ASN.1 Editor) doesn't read the p7m file despite the > fact that it looks as a DER-encoded file at a first glance (even after > removing the zero-byte padding). You should see the RecipientInfos SEQUENCE. Please consult the relevan

certutil -D corrupting NSS database...

there on the list. Sequence of things I did and the results are below my signature block with a few comments in square brackets... I figure this one is heading for bugzilla one way or the other but wanted to hear others thoughts on it first. Oh... This is on Fedora 13 with nss-util 3.12.8 as

Re: Browser-based RSA encryption/decryption

Martin Paljak wrote: > On Sep 21, 2010, at 12:48 PM, Michael Ströder wrote: >> The keys should be sent from the web app to the browser protected via Shared >> Secret negotiated before. So we would need to access a RSA API functions for >> encryption/decryption from Javascri

Re: Browser-based RSA encryption/decryption

Martin, thanks for your quick response. Martin Paljak wrote: > On Sep 21, 2010, at 12:19 PM, Michael Ströder wrote: >> We're thinking about doing RSA encryption/decryption within the browser. For >> this application Javascript is assumed to be enabled but we consider usin

Browser-based RSA encryption/decryption

s are much too slow. Is it possible to access the crypto libs in Mozilla-based browsers (Firefox, Seamonkey, etc.) from Javascript? Any hints are highly appreciated. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Using a 'secret' SSL client certificate from Mozilla

On Sep 7, 6:55 am, Konstantin Andreev wrote: > On 08/28/10 02:36, Michael Smith wrote: > > > Rather than the normal case of a client certificate belonging to the user, > > and just added to the certificate store, we want to have a certificate that > > nominally belongs

Re: Using a 'secret' SSL client certificate from Mozilla

On Sep 3, 11:53 am, Nelson B Bolyard wrote: > On 2010-08-30 11:04 PDT, Michael Smith wrote: > > > On Aug 28, 10:08 am, Nelson Bolyard > > wrote: > >> What is the real underlying objective of this? > >> Is it to authenticate the individual user of the product

Re: Using a 'secret' SSL client certificate from Mozilla

On Aug 28, 10:08 am, Nelson Bolyard wrote: > On 2010-08-27 16:48 PDT, Michael Smith wrote: > > > We're not really looking for a "couldn't be compromised" solutions - > > this is a requirement from a company we're partnering with, not our > > idea,

Re: Using a 'secret' SSL client certificate from Mozilla

On Aug 27, 4:30 pm, John Dennis wrote: > On 08/27/2010 06:36 PM, Michael Smith wrote: > > > > > Hi all, > > > In our (mozilla/xulrunner-based) application, we're trying to set up a > > secure connection to a server that requires a client certificate. > &g

Using a 'secret' SSL client certificate from Mozilla

Hi all, In our (mozilla/xulrunner-based) application, we're trying to set up a secure connection to a server that requires a client certificate. Rather than the normal case of a client certificate belonging to the user, and just added to the certificate store, we want to have a certificate that n

Re: S/MIME interop issue with Outlook 2010 beta

7;d also think Mozilla should not change its implementation. I can't say what the MS forum moderator knows or understand. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Need to verify pkcs#8 keys

Huzaifa Sidhpurwala wrote: > So i know that pkcs#8 keys are not supported by nss due to security > reasons, What security reasons? Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Improper SSL certificate issuing by CAs

Eddy Nigg wrote: > On 04/01/2010 02:40 PM, Michael Ströder: >> You could also spend ~5000 EUR and have your own corporate sub-CA issuing >> certs for whatever DNS name you want. > > Which doesn't imply that no domain control validation is performed. Off course everythi

Re: Improper SSL certificate issuing by CAs

5000 EUR and have your own corporate sub-CA issuing certs for whatever DNS name you want. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: S/MIME interop issue with Outlook 2010 beta

Kaspar Brand wrote: > On 31.03.2010 19:00, Michael Ströder wrote: >> Strange because my e-mail cert does not have subjectKeyIdentifier at all. >> >> Hmm, in theory a S/MIME MUA could calculate it on-the-fly even if the cert >> does not have one and build a lookup tabl

Re: S/MIME interop issue with Outlook 2010 beta

Kaspar Brand wrote: > On 31.03.2010 07:49, Michael Ströder wrote: >> It seems it's a CMS structure and recipientInfos contains subject key ids >> instead of issuerAndSerialNumber. It seems Seamonkey 2.0.x does not support >> that. Is it supported by the underlying li

S/MIME interop issue with Outlook 2010 beta

t that. Is it supported by the underlying libs? Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: List/remove cached S/MIME capabilities

Nelson B Bolyard wrote: > On 2010-02-18 03:06 PST, Michael Ströder wrote: > >> I'm using Seamonkey 2.0.3 under Linux. Is there a way to list and tweak the >> cached S/MIME capabilities for certain recipients? > > There is no way to list them, at present. There could

Re: List/remove cached S/MIME capabilities

Nelson B Bolyard wrote: > On 2010-02-18 03:06 PST, Michael Ströder wrote: > >> I'm using Seamonkey 2.0.3 under Linux. Is there a way to list and tweak the >> cached S/MIME capabilities for certain recipients? > > There is no way to list them, at present. There could

Re: List/remove cached S/MIME capabilities

ing an S/MIME message and the user should be able to exclude weak ciphers from being used at all. > You can find relevant discussions in other newsgroups, not this one. Which one? Ciao, Michael. -- Michael Ströder E-Mail: mich...@stroeder.com http://www.stroeder.com -- dev-tech-crypto mail

List/remove cached S/MIME capabilities

HI! I'm using Seamonkey 2.0.3 under Linux. Is there a way to list and tweak the cached S/MIME capabilities for certain recipients? Ciao, Michael. -- Michael Ströder E-Mail: mich...@stroeder.com http://www.stroeder.com -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org

Re: S/MIME with SHA-256

Jean-Marc Desperrier wrote: > Michael Ströder wrote: >> I switched back to use SHA-1 and the very same >> e-mails are now correctly validated in Seamonkey 1.1.18 and 2.0. > > So they were not before ? Yes, the S/MIME signatures with SHA-256 were not correctly validated by S

Re: S/MIME with SHA-256

Nelson B Bolyard wrote: > On 2009-12-07 07:30 PST, Michael Ströder wrote: >> Are the Mozilla-based MUAs Thunderbird and Seamonkey currently capable of >> verifying S/MIME signed e-mails where SHA-256 is used as hash? > > Should be. Why don't you send me one? Hmm, not a

S/MIME with SHA-256

HI! Are Outlook and Outlook Express currently capable of verifying S/MIME signed e-mails where SHA-256 is used as hash algorithm? Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

S/MIME

HI! Are the Mozilla-based MUAs Thunderbird and Seamonkey currently capable of verifying S/MIME signed e-mails where SHA-256 is used as hash? Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Extrace Mozilla trusted certs into PEM files?

Nelson Bolyard wrote: > On 2009-08-06 03:47, Michael Ströder wrote: >> Eddy Nigg wrote: >>>> Quite a while ago, I read a message from someone saying he had devised, >>>> or was going to devise, a scheme to extract all of Mozilla's trusted root >>>>

Re: Extrace Mozilla trusted certs into PEM files?

ngerprints of the CA certs therein one could obtain (out-of-band)? Going to all the CA's web sites will not be overly effective I guess... :-/ Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: [Authentication] Firefox? Re: Secret Storage API specification project

fitting users who don't only use Konqueror, Ephiphany, Arora, FireFox, ... but switch between browsers. There are related user requests in both Mozilla's and KDE's bugtracker. Regards, Michael signature.asc Description: This is a digitally signed message part. -- dev-tech-cry

Secret Storage API specification project

erested in taking part in the drafting process. Regards, Michael Leupold [1] http://lists.freedesktop.org/mailman/listinfo/Authentication [2] http://git.gnome.org:80/cgit/gnome-keyring/?h=dbus-api [3] http://www.freedesktop.org/wiki/Specifications/secret-storage-spec signature.asc Description: T

PK12UTIL not importing entire chain

I'm trying to figure out a different behavior I'm seeing today vs. NSS I was using about a year ago. Basically I have a code signing cert that contains a complete chain and my memory of importing a year ago (and looking at the DB files that I have generated from when I did that work), it has a

Re: Renaming cert on import (or using certutil)

Appreciate the detailed explanation. Unfortunately I'm getting a segmentation fault on the export of the test.pem to my new pfx file... Very strange... Mike On 7/9/09 6:38 AM, David Stutzman wrote: Michael Kaply wrote: I'm importing a code signing cert into my database using pk1

Re: PKCS#11 Module for TPM availiable

TPM. Isn't that how most HSMs work? Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Renaming cert on import (or using certutil)

I'm importing a code signing cert into my database using pk12util, but it gets assigned a random alias: e33eb463-ddba-4895-9469-bfdd01c71fe2 Is there a way via the command line utilities to rename that to a more human name? I'm sure I did this in the past, but I can't find anything in the do

Re: S/MIME in Thunderbird

er is ready to use is much less useful. Wouldn't a X.509v3 cert with extension sMIMECapabilities imply that this e-mail cert can be used with S/MIME? Ciao, Michael. -- Michael Ströder E-Mail: mich...@stroeder.com http://www.stroeder.com -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: S/MIME in Thunderbird

ion solely when no signed S/MIME message was received so far or the notBefore date of the e-mail cert is newer than the timestamp of the last S/MIME caps stored. Still this assumes that the issuing CA really knows about the correct S/MIME caps which could be true for corporate CAs issuing

Re: Problem reading certificate from hardware token

Anders Rundgren wrote: > Linux: doesn't even provide a crypto service API, or does it? There's a PKCS#11 driver implementation by OpenSC project (see http://www.opensc.org/). Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org

Re: S/MIME in Thunderbird

nse at all. Yupp. Ciao, Michael. -- Michael Ströder E-Mail: mich...@stroeder.com http://www.stroeder.com -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: S/MIME in Thunderbird

wrong. ;-} > Exchanging certificates also violates the privacy > anyway since one of the most secret things is actually *who* you > communicate with. ??? Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: S/MIME in Thunderbird

cts should display the symmetric cipher and key strengths actually used in a S/MIME message like it's already done for SSL connections. Ciao, Michael. -- Michael Ströder E-Mail: mich...@stroeder.com http://www.stroeder.com -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Fwd: Has any public CA ever had their certificate revoked?

by this. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Smart Cards. Re: The element

ugh. > Don't take it personal, Don't worry, I won't. ;-) > but browser-PKI is totally lame. It is a 15-year old > Netscape "hack" that is since long overdue. Well, I still disagree. And if you want a really detailed client-side smartcard provisiong you could alre

Re: Smart Cards. Re: The element

7;t see a reason why there can't be an additional HTML attribute for which lists the names of acceptable PKCS#11 and/or CAPI key stores. I'd vote against an abstract "smartcard bit" or "HSM bit" anyway. If a CA wants to make a provision about which key store to u

Re: Smart Cards. Re: The element

system layouts. But that's a level below . Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Smart Cards. Re: The element

ted even if just using a file-based key store. But nobody came up with a really good idea how to solve that issue. Please, don't raise the Skype-is-so-wonderful discussion again. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: [whatwg] The element

her end, and see how protocols could be invoked in FireFox in a > generic fashion. It always rings some bells regarding generic protocols. The more flexible they are the harder it is for implementors to get them securely implemented. One of the real caveats of PKIX is the comp

Re: and generateCRMFRequest () - Which is Mozilla's choice?

eb apps and/or browsers. Personally I prefer a key enrollment interface running without it (Javascript disabled in the browser). Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: and generateCRMFRequest () - Which is Mozilla's choice?

because it's simple, you can put it in HTML templates and it doesn't need Javascript. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: client certificates unusable?

ming from the X.500 world) is a naming attribute with pretty broad semantics. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Hongkong Post Root Inclusion Request

isplace CRLs > as the preferred revocation channel? I'd say no. Use of OCSP should not be made mandantory. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

CA switched to SHA-1?

Good evening, have now all CAs switched to SHA-1 encryption due the MD5 collision attack on CA certs? Michael -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: most secure algorithms

Thanks! -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

most secure algorithms

good evening, what are currently the most secure algorithms? (also hash algorithms).. Michael -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: X509 per machine (not per user) - or equivalent needed

Denis McCarthy wrote: > On Fri, Jan 30, 2009 at 2:15 PM, Michael Ströder wrote: >> Ian G wrote: >>> X.509 is a user concept, not a transaction concept. >> Hmm, X.509 certs are simply a strong binding between a name of an entity >> and a public key. Machines can be

Re: X509 per machine (not per user) - or equivalent needed

27;d probably prefer the X.509-based user authc and lookup the machine on which the transaction was performed based on other data. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Policy: revoke on private key exposure

Florian Weimer wrote: > * Michael Ströder: > >> Florian Weimer wrote: >>> What about requiring that all certificates must be published by the CA >>> (including sub-CAs)? >> No, this might lead to also revealing internal DNS names never meant to >>

Re: Server Gated Cryptography

>> Super. Would you care to file a bug to do that, or shall I? :-) > > What would the motive be for writing a patch that has no effect? Code cleaning. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Policy: revoke on private key exposure

Florian Weimer wrote: > What about requiring that all certificates must be published by the CA > (including sub-CAs)? No, this might lead to also revealing internal DNS names never meant to be public. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org

Re: Policy: revoke on private key exposure

t;> attack >>> is in evidence, as a condition of having trust bits in Firefox. >> >> Fully agree. > > Thirded. +1 > I'm surprised that isn't already the case :-( Me too. :-/ Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: OS dependence of mail cert profiles

behaviour like with OpenSC. Best regards Michael ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: OS dependence of mail cert profiles

Eddy Nigg wrote: > >> On 01/21/2009 03:36 PM, Michael Bell: > >> Sorry for wasting your time > > No waste was produced ;-) Good to know. > Also the CA certificates must be imported into your profile for this to > work and have the correct trust bits set. This i

Re: OS dependence of mail cert profiles

which is required by the Siemens software and the original format of the card is not usable by OpenSC. Really frustrating. http://www.nabble.com/CardOS-4.3B-card---administration-state-td19418475.html Sorry for wasting your time Michael ___ dev-tech-crypto

Re: OS dependence of mail cert profiles

Eddy Nigg wrote: > > On 01/21/2009 01:19 PM, Michael Bell: >> No, I use the Siemens software on Windows and OpenSC on Linux. > > To all of my knowledge they aren't compatible. After I removed my whole thunderbird profile I am one step further. The certificate displays the

Re: OS dependence of mail cert profiles

Michael Bell wrote: > Michael Bell wrote: > >> I analysed the situation and discovered that the purpose of the cert >> on Windows is "Client, sign, encrypt" but the purpose on Linux is >> "". I checked the cert with OpenSSL and noticed that the >>

Re: OS dependence of mail cert profiles

Michael Bell wrote: > I analysed the situation and discovered that the purpose of the cert > on Windows is "Client, sign, encrypt" but the purpose on Linux is > "". I checked the cert with OpenSSL and noticed that the > certificate does not include the usual nsCe

Re: OS dependence of mail cert profiles

Eddy Nigg wrote: > > On 01/21/2009 01:07 PM, Michael Bell: >> Eddy Nigg wrote: >> >>> On 01/21/2009 11:57 AM, Michael Bell: >>> >>> Which driver are you using on Linux? Is this an Aladdin eToken? Which >>> library did you choose as the PKCS1

Re: OS dependence of mail cert profiles

Michael Bell wrote: > > I analysed the situation and discovered that the purpose of the cert > on Windows is "Client, sign, encrypt" but the purpose on Linux is > "". I checked the cert with OpenSSL and noticed that the > certificate does not include the usual

Re: OS dependence of mail cert profiles

Eddy Nigg wrote: > On 01/21/2009 11:57 AM, Michael Bell: > > Which driver are you using on Linux? Is this an Aladdin eToken? Which > library did you choose as the PKCS11 module? I use a Siemens CardOS V4.3B Smartcard. It is a real Smartcard and no USB token. I use the OpenSC PK

Re: OS dependence of mail cert profiles

eless the certificate still does not work on Linux. Best regards Michael ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

OS dependence of mail cert profiles

ding the certificate extensions? FYI the internal PKCS#11 module of Thunderbird displays the following HW versions for the Generic Crypto Services: Linux 3.12 and 4.0 Windows: 3.11 and 8.3 Best regards Michael ___ dev-tech-crypto mailing list dev-tech-cryp

Re: CABForum place in the world

Jean-Marc Desperrier wrote: > Michael Ströder a écrit : >> I think that the attitude of not bothering >> the end user with technical details is the wrong direction because >> people with technical knowledge need the details to help the end user. >> Especially since ther

Re: OCSP and privacy concerns

n OCSP responders. Ah, ok. So the SSL-enabled server asks the OCSP responder of the server cert issuer. Hmm, let's see if this will ever be widely used. I have some doubts... Ciao, Michael. ___ dev-tech-crypto mailing list dev-tech-crypto@l

Re: CABForum place in the world

sers tend to send screenshot of the first error message to the helpdesk. > I know you likely already know this, but do keep in mind as well that if > you are someone who *does* understand this information, flipping the > browser.xul.error_pages.expert_bad_cert pref in a

Re: OCSP and privacy concerns

Johnathan Nightingale wrote: > On 9-Jan-09, at 9:38 AM, Michael Ströder wrote: >> Can OCSP still be disabled? Personally I have strong privacy concerns >> since when checking for a server cert via OCSP the OCSP responder knows >> which server you try to access (because the

Re: CABForum place in the world

Jean-Marc Desperrier wrote: > Michael Ströder a écrit : >> [...] >> A couple of days ago I've received a phishing spam e-mail with a >> detailed description "how to accept the new more secure EV cert" of a >> banking site. Obviously the goal was to tric

Re: Suggestion: Announce date for MD5 signature deactivation

gt; someone breaks the rule, we remove them, You have to know the sub-CA in question to remove the accompanying root CA. Mozilla cannot know all of them. Sub-CAs are often not audited at all. Sometimes not even the sub-CA's CP/CPS is reviewed by the root CA. Anyway I'd al

Re: Suggestion: Announce date for MD5 signature deactivation

e policy shouldn't be > changed every here and now and I think this is the position Frank > represents too. Maybe it would be better to point to algorithm recommendations by NIST or similar national organizations? Ciao, Michael. ___ dev-tec

Re: Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation

Ian G wrote: > On 9/1/09 13:02, Michael Ströder wrote: >> Fost1954 wrote: >>> I do not want to be offending, but a simple "I think so"-answer does not >>> satisfy most of the Firefox-Thawte Users,... >> >> I also do not want to be offending but if

Re: CABForum place in the world

shers will be quick to imitate it. A couple of days ago I've received a phishing spam e-mail with a detailed description "how to accept the new more secure EV cert" of a banking site. Obviously the goal was to trick the user to access a phishing site. I didn

Re: selling the MITM

is a little bit stricter regarding privacy regulations. I think companies here can also deploy such a MITM proxy but they have to make a "Betriebsvereinbarung" about the Internet usage within the company. Ciao, Michael. ___ dev-tech-crypto mailing

Re: Fully open operation

Ian G wrote: > On 14/1/09 15:35, Michael Ströder wrote: >> David E. Ross wrote: >>> On 1/3/2009 6:51 PM, Ian G wrote: >>>> It was written: >>>>> But aren't auditors the eye of the public performing and recording >>>>> those >&g

Re: Fully open operation

om auditor to the public has been drawn in the courts, where > lawsuits against auditors by investors injured by corporate fraud have > been successful. But unfortunately this likely does not apply to IT security audits. Ciao, Michael. ___ dev-tech-

Re: PositiveSSL is not valid for browsers

erings proposing anything > else by judging those of the most popular CAs. But maybe your are right > and there might be room for a fourth (high-high) class even. No matter what security class...the basic issue is that the guidelines obviously aren't enforced. Ciao, Michael. ___

Re: PositiveSSL is not valid for browsers

Ben Bucksch wrote: > Browsers do not differentiate. Users can not differentiate. All certs > *are* used for e-commerce. I fully agree! That's why I considered EV certs to be marketing hype from the very beginning. Ciao, Michael. ___ dev-

OCSP and privacy concerns (was: CABForum place in the world)

is in the server cert's subject DN). Ciao, Michael. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Fw:

nefit > from a standardized method for keygen. Yupp. And personally I'd prefer a rather simple solution. Ciao, Michael. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

  1   2   3   >