On Sun, Jun 13, 2010 at 03:08:07PM -0700, Nelson B Bolyard wrote:
> On 2010-06-13 13:02 PDT, Robin H. Johnson wrote:
> > On Sun, Jun 13, 2010 at 02:02:39AM -0700, Nelson B Bolyard wrote:
> >>> The root of the problem is that the shared libraries can change
> >>>
ot verify.
> > Running shlibsign does remedy the problem.
> >
> > However, this entire matter could be remedied if some more useful error
> > had been returned instead of 'Invalid Arguments'. Something to indicate
> > that the library checksums no longer matche
ch-22. Either I have to run shlibsign afterwards, or
I have to not sign those files, and leave them open to potential
compromise.
Running shlibsign does remedy the problem.
However, this entire matter could be remedied if some more useful error
had been returned instead of 'Invalid Argumen
On Sat, Jun 12, 2010 at 12:15:07PM -0700, Matt McCutchen wrote:
> On Jun 12, 2:25 pm, Nelson B Bolyard wrote:
> > On 2010-06-10 22:59 PDT, Robin H. Johnson wrote:
> > > The testcase has been run on Arch and Fedora now, and both of those
> > > cases it works fine.
>
On Fri, Jun 11, 2010 at 05:59:27AM +, Robin H. Johnson wrote:
> On Thu, Jun 10, 2010 at 10:45:03PM +0000, Robin H. Johnson wrote:
> > Testcase 2:
> > (see attached minimal C code, based on posts to the list and used in the
> > modutils source AND Mozilla).
> Bah
On Thu, Jun 10, 2010 at 10:45:03PM +, Robin H. Johnson wrote:
> Testcase 2:
> (see attached minimal C code, based on posts to the list and used in the
> modutils source AND Mozilla).
Bah, forgot the actual file.
The testcase has been run on Arch and Fedora now, and both of those
Build params:
USE_64=1
NSPR_INCLUDE_DIR=`nspr-config --includedir`
NSPR_LIB_DIR=`nspr-config --libdir`
BUILD_OPT=1
NSS_USE_SYSTEM_SQLITE=1
NSDISTMODE=copy
NSS_ENABLE_ECC=1
XCFLAGS="${CFLAGS}"
FREEBL_NO_DEPEND=1
The only patches applied in Gentoo add some pkconfig bits,
--
Robin Hugh Johnson
tech-crypto) the trust anchor is protected by other means
than its signature.
Regards
Robin
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
On Jan 1, 12:59 am, Eddy Nigg wrote:
> Robin, could you provide some clarifications and your opinion concerning
> the post I made titled "Facts about Comodo Resellers and RAs" in
> particular in relation to the CP and CP statements here:
>
> http://groups.google.com/grou
On Dec 24, 2:13 am, "Paul C. Bryan" wrote:
> On Dec 23, 5:56 pm, ro...@comodo.com wrote:
> Some questions:
>
> 1. Does Comodo take full responsibility for the actions of its
> resellers? If so, how should the repercussions of such failures be to
> Comodo?
Comodo accepts responsibility for the work
On Dec 25, 4:49 pm, Frank Hecker wrote:
> Michael Ströder wrote:
> > Could you please define a time-frame within Comodo MUST react?
>
> Comodo (in the person of Robin Alden) has already made a reply:
>
> http://groups.google.com/group/mozilla.dev.tech.crypto/msg/b24e70ea2c39
looking for ways to
improve it.
We apologize for Certstar’s mistake and assure you that we will
redouble our self-auditing efforts to insure the problem does not
repeat itself.
Regards
Robin Alden
Comodo
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
l our investigation has been completed. Please let me know if you have
any further problems.
Regards
Robin Alden
Comodo
> -Original Message-
> From: dev-tech-crypto-bounces+robin=comodo@lists.mozilla.org
> [mailto:dev-tech-crypto-bounces+robin=comodo@lists.mozilla.org]
Eddy,
That reseller's ability to sell Comodo certificates has been
suspended while we investigate why they are apparently not fulfilling their
contractual obligations to us.
We revoked your certificate for mozilla.com.
Regards
Robin Alden
Comodo
> -Original
> -Original Message-
> From: Eddy Nigg
> Sent: Wednesday, August 06, 2008 9:12 PM
> To: dev-tech-crypto@lists.mozilla.org
> Subject: Re: Comodo ECC CA inclusion/EV request
>
> Robin Alden:
> > Eddy Nigg said:
> >> In http://www.mozilla.org/proje
Eddy Nigg said:-
> Robin Alden:
> > f) refers to an SSL product which is limited in such a way that it isn't
> > generally usable on the public internet. We offer no warranty on the
> > product, and the main part of the domain validation is to ensure that
> the
>
Robin Alden wrote:-
> Eddy Nigg wrote:-
> > Oh and f) is also interesting ;-), I wonder how many
> > "localhost" certificates were issued so far...
> [Robin said...]
> Not many! We do issue quite a number for organizations to use internally
> on
> other name
s listed in
>
http://wiki.mozilla.org/CA:Problematic_Practices#Wildcard_DV_SSL_certificate
s
>
> But I'm not sure which type the ECC certificates belong to
> (which letter under section 2.4.1) in which case e) might not
> apply.
[Robin said...]
We would like to be able to apply any
Eddy,
> > [Robin said...]
> > Our main current objection to them is on grounds of maintaining a level
> > commercial playing field among all CAs (in the Mozilla root program).
> >
> Robin, just for your knowledge that most if not all CAs which have roots
> in NSS, ar
to make improvements as a condition of
> approval. (An example would be a CA that issued individual certs usable
> for S/MIME email, but did not appear to actually verify that the
> individual controlled the email address named in the cert.)
[Robin said...]
Fair enough.
>
> I do
ourse do such lobbying
> within groups like the CAB Forum, and we will. However I don't believe
> that precludes our discussing and taking positions on these issues in
> the context of our public forums and web sites.
>
[Robin said...]
We accept that Mozilla has valid and carefully
seeking on the issues, not
> speaking about any possible "sanction" pretty useless. Currently EV
> status implies the roots to be also trusted for regular certificates
> which is a limitation of NSS.
>
[Robin said...]
Perhaps my problem then is understanding the process at all. You
> Robin, I have a request to make. Lets put aside for a minute the
> procedural matters and let me ask you a few questions:
>
> - We are not seeking to cause any harm to Comodo or unilaterally remove
> the roots from NSS. However can we seek the cooperation on the issues
> whi
> Eddy Nigg (StartCom Ltd.) wrote:
> > Robin, just to answer this one...
> >
> > Robin Alden:
> >> [Robin said...] A fair point, and perhaps that is a whole other
> >> problem. Our CA *does* have
> >> roots in NSS.
> >>
> >
> &g
> Robin, just to answer this one...
>
> Robin Alden:
> > [Robin said...]
> > A fair point, and perhaps that is a whole other problem. Our CA
> *does* have
> > roots in NSS.
> >
>
> This is correct. However your CA roots are considered legacy roots
>
> >> But by issuing *domain validated* certificate for up to *ten years*,
> >> without revalidation is completely irresponsible and borders on
> gross
> >> negligent.
> >>
> > [Robin said...]
> > I disagree. With a DV certificate the only thing
> Robin Alden:
> >
> > The only certificates we issue for 10 years are DV certificates.
> > We do not currently repeat any of the validation checks during a
> > certificate's lifetime for any of our certificate types.
> >
>
> The behavior of Comodo in
t a bulk snapshot of information that we would have gathered for 4.2.1.
The 3rd party databases mentioned are the domain registries (for Whois records)
or the jurisdictions of incorporation (for evidence of legal existence and
correctness of address details, etc, of the legal entity).
Regards
Robin Alden
Comodo CA Ltd.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
list of ways we see people using SSL certificates to commit
fraud.
Regards
Robin Alden
Comodo CA Limited
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
ed to compete with order
CAs issuing wildcard products.
Regards
Robin Alden
Comodo
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
ly as a brand of ScandTrust AB. Sweden - although Comodo does have the
right to continue using the root CA certificates which we purchased from
them and which bear the AddTrust name.
Robin Alden
___
dev-tech-crypto mailing list
dev-tech-
quot; - well, I'd rather answer the questions in this
forum, if possible.
Regards
Robin Alden
Comodo CA Limited.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eddy Nigg
(StartCom Ltd.)
Sent: 24 March 2008 02:38
To: Frank Hecker
Cc: dev-tech-crypto
Eddy,
I'm sorry I haven't got around to answering your questions until
now.
You wrote:
> 1.) The audit report for non-EV operations refers to the CA operation at
> Manchester. The audit report for EV refers to the CA operations at New
> Jersey. One of the roots is from a company operatin
33 matches
Mail list logo
