Frank Hecker:
> Eddy Nigg wrote:
>> Frank, where is the lack of consensus exactly?
>
> IIRC the reason I changed the wording to "potentially problematic" was
> that some of the practices weren't necessarily "problematic" in all
> contexts, at least IMO. Thus, for example, distributing private keys
Eddy Nigg wrote:
> Frank Hecker:
>> Yes, I'll do that. (Incidentally, I'm now calling it the "potentially
>> problematic practices" list, because there's a lack of consensus on the
>> extent to which some of these practices are problems in general.)
>
> Frank, where is the lack of consensus exactl
Frank Hecker:
>
> Yes, I'll do that. (Incidentally, I'm now calling it the "potentially
> problematic practices" list, because there's a lack of consensus on the
> extent to which some of these practices are problems in general.)
>
Frank, where is the lack of consensus exactly? Are you referring t
Frank Hecker wrote:
> Robin Alden wrote:
>> Frank, would you consider these practices of issuing certificates to
>> hostnames* and also of issuing to non-internet routable IP addresses as
>> being something to add to your problematic practices list?
>
> Yes, I'll do that.
Done:
https://wiki.moz
Robin Alden:
>> I think an IP address is almost on the same level as a domain name, but
>> even here there can be problems. For example if you are willing to
>> validate dynamic assigned IP addresses, than this can be actively
>> exploited obviously. An assigned IP may belong to somebody else withi
Frank Hecker wrote:
> Frank Hecker wrote:
>> I am now opening the first public discussion period for a request from
>> Comodo to add the Comodo ECC Certification Authority root certificate
>> to Mozilla and enable it for EV use. This is bug 421946, and Kathleen
>> has produced an information doc
Robin Alden wrote:
> Sure, but CAs issue certificates to IP addresses too (as we discuss below)
> yet the policy does not allow for the possibility. Either the policy is
> imprecise, or it is being flouted by the CAs that issue certificates for IP
> addresses.
You're correct, this is a gap in our
On Wed, Aug 6, 2008 at 1:11 PM, Eddy Nigg <[EMAIL PROTECTED]> wrote:
>
> In other words, Comodo would issue multiple certificates for the very
> same domain name? You could have multiple valid certificates for
> www.mozilla.com?
Technically, there is absolutely nothing wrong with this. Multiple
I
> -Original Message-
> From: Eddy Nigg
> Sent: Wednesday, August 06, 2008 9:12 PM
> To: dev-tech-crypto@lists.mozilla.org
> Subject: Re: Comodo ECC CA inclusion/EV request
>
> Robin Alden:
> > Eddy Nigg said:
> >> In http://www.mozilla.org/proje
Jean-Marc Desperrier:
>
> That part is of course much more dubious. But if you consider hostname
> only servers to be acceptable, there's little ground to say multiple
> subscrivers can't have one with the same name. Even if you'd decide to
> try to enforce that, there's no way to restrein another
Eddy Nigg a écrit :
> [...]
> In other words, Comodo would issue multiple certificates for the very
> same domain name? You could have multiple valid certificates for
> www.mozilla.com?
It's an actually useful option. You may want the multiple servers that
will answer for www.mozilla.com to not s
Robin Alden:
> Eddy Nigg said:
>> In http://www.mozilla.org/projects/security/certs/policy/ section 7
>> explicitly states:
>>
>> "for a certificate to be used for SSL-enabled servers, the CA takes
>> reasonable measures to verify that the entity submitting the certificate
>> signing request has re
Eddy Nigg wrote:
> My point was that Comodo does issue certificates according to the
> problematic practices listed in our document. Not only that, it does
> more than one of those practices. You stated in the bug however that
> Comodo doesn't issue certificates according to the "Problematic Pra
Eddy Nigg said:-
> Robin Alden:
> > f) refers to an SSL product which is limited in such a way that it isn't
> > generally usable on the public internet. We offer no warranty on the
> > product, and the main part of the domain validation is to ensure that
> the
> > domain name in the certificate i
Robin Alden:
> f) refers to an SSL product which is limited in such a way that it isn't
> generally usable on the public internet. We offer no warranty on the
> product, and the main part of the domain validation is to ensure that the
> domain name in the certificate is not a valid internet name o
Frank Hecker:
> Eddy Nigg wrote:
>> As per your comment in
>> https://bugzilla.mozilla.org/show_bug.cgi?id=421946#c17 you state that
>> no problematic
>> practices associated with this CA, but I found that in section 2.4.1
>> domain validated wild cards are issued, which is listed in
>> http://
Robin Alden:
> f) refers to an SSL product which is limited in such a way that it isn't
> generally usable on the public internet. We offer no warranty on the
> product, and the main part of the domain validation is to ensure that the
> domain name in the certificate is not a valid internet name o
Eddy Nigg wrote:
> As per your comment in
> https://bugzilla.mozilla.org/show_bug.cgi?id=421946#c17 you state that
> no problematic
> practices associated with this CA, but I found that in section 2.4.1
> domain validated wild cards are issued, which is listed in
> http://wiki.mozilla.org/CA:Pr
Robin Alden wrote:-
> Eddy Nigg wrote:-
> > Oh and f) is also interesting ;-), I wonder how many
> > "localhost" certificates were issued so far...
> [Robin said...]
> Not many! We do issue quite a number for organizations to use internally
> on
> other names, though.
> E.g. if we have a server on
Eddy Nigg wrote:-
> (to Frank Hecker)
> As per your comment in
> https://bugzilla.mozilla.org/show_bug.cgi?id=421946#c17 you
> state that no problematic practices associated with this CA,
> but I found that in section 2.4.1 domain validated wild cards
> are issued, which is listed in
>
http://wiki.
Frank Hecker:
> Frank Hecker wrote:
>> I am now opening the first public discussion period for a request from
>> Comodo to add the Comodo ECC Certification Authority root certificate
>> to Mozilla and enable it for EV use. This is bug 421946, and Kathleen
>> has produced an information document att
Frank Hecker wrote:
> I am now opening the first public discussion period for a request from
> Comodo to add the Comodo ECC Certification Authority root certificate to
> Mozilla and enable it for EV use. This is bug 421946, and Kathleen has
> produced an information document attached to the bug.
On Saturday 19 July 2008 19:30:51 Paul Hoffman wrote:
> At 11:04 AM +0100 7/19/08, Rob Stradling wrote:
> >I think that the ECDSA signature algorithms will only be supported in
> > OpenSSL 0.9.9 (not yet released) and above.
> >
> >Try a recent openssl-SNAP-2008mmdd.tar.gz from
> > ftp://ftp.openss
>Paul Hoffman wrote:
>> At 3:24 PM -0700 7/18/08, Wan-Teh Chang wrote:
>>> On Fri, Jul 18, 2008 at 1:58 PM, Paul Hoffman <[EMAIL PROTECTED]>
>>> wrote:
> There's a test site with a Comodo-issued ECC cert at
> https://comodoecccertificationauthority-ev.comodoca.com/
...which no br
Paul Hoffman wrote:
> At 3:24 PM -0700 7/18/08, Wan-Teh Chang wrote:
>> On Fri, Jul 18, 2008 at 1:58 PM, Paul Hoffman <[EMAIL PROTECTED]>
>> wrote:
There's a test site with a Comodo-issued ECC cert at
https://comodoecccertificationauthority-ev.comodoca.com/
>>> ...which no browser will le
Nelson B Bolyard wrote:
>
> Frank Hecker wrote, On 2008-07-18 15:18:
>> Paul Hoffman wrote:
>>> At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
Paul Hoffman wrote:
> Has anyone validated the ECC paramters they used?
Not that I'm aware.
>>> I think that's unfortunate. It is easy
Paul Hoffman wrote, On 2008-07-18 20:00:
>> 2. Import that root CA cert.
>
> restart FF (at least 3)...
should not be necessary. Might be necessary to see the cert in the UI,
due to possible UI issues, but is not required in NSS.
>> I hope you trust the ECC implementation in NSS.
>
> I
Frank Hecker wrote, On 2008-07-18 15:18:
> Paul Hoffman wrote:
>> At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
>>> Paul Hoffman wrote:
>>> > Has anyone validated the ECC paramters they used?
>>>
>>> Not that I'm aware.
>> I think that's unfortunate. It is easy for all of us to test the
>> param
At 11:04 AM +0100 7/19/08, Rob Stradling wrote:
>I think that the ECDSA signature algorithms will only be supported in OpenSSL
>0.9.9 (not yet released) and above.
>
>Try a recent openssl-SNAP-2008mmdd.tar.gz from ftp://ftp.openssl.org/snapshot
>instead.
Will do.
Non-mandatory question: what soft
On Saturday 19 July 2008 00:26:57 Paul Hoffman wrote:
> At 6:18 PM -0400 7/18/08, Frank Hecker wrote:
> >Paul Hoffman wrote:
> >> At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
> >>> Paul Hoffman wrote:
> >>> > Has anyone validated the ECC paramters they used?
> >>>
> >>> Not that I'm aware.
>
At 3:24 PM -0700 7/18/08, Wan-Teh Chang wrote:
>On Fri, Jul 18, 2008 at 1:58 PM, Paul Hoffman <[EMAIL PROTECTED]> wrote:
>>
>>>There's a test site with a Comodo-issued ECC cert at
>>>
>>> https://comodoecccertificationauthority-ev.comodoca.com/
>>
>> ...which no browser will let me into. :-)
>
On Fri, Jul 18, 2008 at 1:58 PM, Paul Hoffman <[EMAIL PROTECTED]> wrote:
>
>>There's a test site with a Comodo-issued ECC cert at
>>
>>https://comodoecccertificationauthority-ev.comodoca.com/
>
> ...which no browser will let me into. :-)
>
>>and the Comodo ECC root CA cert itself is available a
At 6:18 PM -0400 7/18/08, Frank Hecker wrote:
>Paul Hoffman wrote:
>> At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
>>> Paul Hoffman wrote:
>>> > Has anyone validated the ECC paramters they used?
>>>
>>> Not that I'm aware.
>>
>> I think that's unfortunate. It is easy for all of us to test th
Paul Hoffman wrote:
> At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
>> Paul Hoffman wrote:
>> > Has anyone validated the ECC paramters they used?
>>
>> Not that I'm aware.
>
> I think that's unfortunate. It is easy for all of us to test the
> parameters for RSA certs, but few of us have software
At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
>Paul Hoffman wrote:
> > Has anyone validated the ECC paramters they used?
>
>Not that I'm aware.
I think that's unfortunate. It is easy for all of us to test the
parameters for RSA certs, but few of us have software for testing ECC
certs.
>There's
On Fri, Jul 18, 2008 at 12:48 PM, Frank Hecker
<[EMAIL PROTECTED]> wrote:
> Wan-Teh Chang wrote:
>> In your summary of information for CAs, you
>> should replace "Modulus (key length)" by "EC parameters (named curve)"
>> for ECC roots.
>
> I've revised the information checklist to reflect your comm
Wan-Teh Chang wrote:
> In your summary of information for CAs, you
> should replace "Modulus (key length)" by "EC parameters (named curve)"
> for ECC roots.
I've revised the information checklist to reflect your comments; see
item 2.6:
http://wiki.mozilla.org/CA:Information_checklist
Please let
On Fri, Jul 18, 2008 at 6:27 AM, Frank Hecker
<[EMAIL PROTECTED]> wrote:
> Paul Hoffman wrote:
>> Has anyone validated the ECC paramters they used?
>
> Not that I'm aware. There's a test site with a Comodo-issued ECC cert at
>
> https://comodoecccertificationauthority-ev.comodoca.com/
>
> and the
On Thu, Jul 17, 2008 at 8:54 PM, Paul Hoffman <[EMAIL PROTECTED]> wrote:
> Has anyone validated the ECC paramters they used?
They use the NIST P-384 curve (secp384r1), which is in NSA Suite B.
Wan-Teh
___
dev-tech-crypto mailing list
dev-tech-crypto@lis
Paul Hoffman wrote:
> Has anyone validated the ECC paramters they used?
Not that I'm aware. There's a test site with a Comodo-issued ECC cert at
https://comodoecccertificationauthority-ev.comodoca.com/
and the Comodo ECC root CA cert itself is available at
http://crt.comodoca.com/COMODOEC
Has anyone validated the ECC paramters they used?
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
I am now opening the first public discussion period for a request from
Comodo to add the Comodo ECC Certification Authority root certificate to
Mozilla and enable it for EV use. This is bug 421946, and Kathleen has
produced an information document attached to the bug.
https://bugzilla.mozill
42 matches
Mail list logo
