Nelson Bolyard wrote:
>
> When you trust a cert as a peer, you trust it for all the names that
> appear in that cert, just as if it had been issued by a CA you trust.
> If it has 50 subject alt names, or a wildcard name, you trust that cert
> for all those names.
>
> It turned out that browser us
Nelson Bolyard wrote, On 2008-08-12 22:59:
> I didn't understand that very well, but I _think_ you're saying that if
> adding a CA cert that trusted to issue client certs causes that CA to also
> be trusted to issue server certs, that would be bad.
>
> Indeed, that would be bad, and it definitely
Howard Chu wrote:
> Likewise in the Mozilla Browser/nss_ldap situation, the credentials
> needed for LDAP authentication will probably be quite different from the
> credentials needed for web browsing or personal addressbook lookups. It
> would be extremely bad if simply using Mozilla on a syste
Howard Chu wrote:
> Nelson B Bolyard wrote:
>> Howard Chu wrote, On 2008-08-10 03:30:
>> When one considers all the important reasons to choose a crypto
>> implementation, support for one file format which is not used in any
>> standard protocols (e.g. TLS, SMIME) doesn't seem like a biggie.
>
> T
Howard Chu wrote, On 2008-08-12 19:12:
> That was the other point I was trying to make about global state... It's
> common practice to set up services with private CAs, so that random nosy
> clients cannot connect to them. In an OpenLDAP proxy installation you'll
> have one server cert/key and arb
Julien R Pierre - Sun Microsystems wrote:
> Nelson,
>
> Nelson Bolyard wrote:
>> Julien R Pierre wrote on 2008-08-12 16:53 PDT:
>>> Robert Relyea wrote:
>>>
SECMOD_OpenUserDB() will open new database slots in the internal
database module.
>>> Unfortunately, those additional DBs can't be m
Nelson,
Nelson Bolyard wrote:
> Julien R Pierre wrote on 2008-08-12 16:53 PDT:
>> Robert Relyea wrote:
>>
>>> SECMOD_OpenUserDB() will open new database slots in the internal
>>> database module.
>> Unfortunately, those additional DBs can't be manipulated separately.
>
> huh?
> - key gens can b
Julien R Pierre wrote on 2008-08-12 16:53 PDT:
> Robert Relyea wrote:
>
>> SECMOD_OpenUserDB() will open new database slots in the internal
>> database module.
>
> Unfortunately, those additional DBs can't be manipulated separately.
huh?
- key gens can be done in each one separately,
- certs c
Bob,
Robert Relyea wrote:
> SECMOD_OpenUserDB() will open new database slots in the internal
> database module.
Unfortunately, those additional DBs can't be manipulated separately.
This is particularly a problem for trust.
___
dev-tech-crypto mailin
Howard,
Howard Chu wrote:
> Did any of those FIPS audits red-flag the above code snippet?
Of course not.
You seem to be mistaken about the purpose and scope of FIPS140 validation.
Only cryptographic code needs to be validated. The libnss initialization
code is not cryptographic code, and thus
Nelson B Bolyard wrote:
Howard Chu wrote, On 2008-08-11 20:07:
Nelson B Bolyard wrote:
Howard Chu wrote, On 2008-08-10 14:13:
It would make it impossible to use in e.g. OpenLDAP/nss_ldap because
applications would be unable to load their own configuration settings
after nss_ldap
Howard Chu wrote, On 2008-08-11 20:07:
> Nelson B Bolyard wrote:
>> Howard Chu wrote, On 2008-08-10 14:13:
>
>>> It would make it impossible to use in e.g. OpenLDAP/nss_ldap because
>>> applications would be unable to load their own configuration settings
>>> after nss_ldap/libldap/nss initialized
Nelson B Bolyard wrote:
> Howard Chu wrote, On 2008-08-10 14:13:
>> It would make it impossible to use in e.g. OpenLDAP/nss_ldap because
>> applications would be unable to load their own configuration settings
>> after nss_ldap/libldap/nss initialized.
>
> Nothing prevents each application from ha
On Sun, Aug 10, 2008 at 2:13 PM, Howard Chu <[EMAIL PROTECTED]> wrote:
>
> There's other relics lying around in the code, waiting to bite:
>
> nss/lib/nss/nssinit.c:561
> #ifndef XP_MAC
> /* only servers need this. We currently do not have a mac server */
> if ((!noModDB) && (!noCertDB) &&
David Stutzman wrote:
>>> Actually, most of the developers who work on it are
>> developing it for
>>> servers. It is revenue from server sales that pay the salaries of
>>> most of NSS developers (since revenues from browser sales
>> are ... low :).
>>
>> They must be using it in pretty simple sce
> > Actually, most of the developers who work on it are
> developing it for
> > servers. It is revenue from server sales that pay the salaries of
> > most of NSS developers (since revenues from browser sales
> are ... low :).
>
> They must be using it in pretty simple scenarios so far. The
> w
Nelson B Bolyard wrote:
> Howard Chu wrote, On 2008-08-10 14:13:
>
>> The issue isn't about a specific file format, it's about overall
>> usability. Ignoring the issue of hiding things in a fragile DB the
>> problem is that it's a one-shot monolithic configuration. A process may
>> only call NSS_In
Howard Chu wrote, On 2008-08-10 14:13:
> The issue isn't about a specific file format, it's about overall
> usability. Ignoring the issue of hiding things in a fragile DB the
> problem is that it's a one-shot monolithic configuration. A process may
> only call NSS_Init once, and provides a singl
Eddy Nigg wrote:
> Well, consider that people are familiar with OpenSSL commands and new
> users get quickly used to it. This "might" be what others are looking
> for when checking out NSS and other libraries (and decide to forget
> about it).
Look into the other thread started by me "Creating
Nelson B Bolyard wrote:
> Howard Chu wrote, On 2008-08-10 03:30:
> When one considers all the important reasons to choose a crypto
> implementation, support for one file format which is not used in any
> standard protocols (e.g. TLS, SMIME) doesn't seem like a biggie.
The issue isn't about a speci
Nelson B Bolyard:
> Howard Chu wrote, On 2008-08-10 03:30:
>> Following on from the discussion in
>> https://bugzilla.mozilla.org/show_bug.cgi?id=292127 today I took a look
>> at what would be involved in adding NSS support to OpenLDAP. Aside from
>> the lack of hassle-free PEM support (which it ap
Howard Chu wrote, On 2008-08-10 03:30:
>> Nelson B Bolyard wrote:
>>> Someone could write a PKCS#11 module that uses PEM files as its storage.
>>> It wouldn't be FIPS validated, at least not initially.
>
> In that case, there's even less motivation to adopt NSS, since OpenSSL is
> moving ahead
Robert Relyea wrote:
> Nelson B Bolyard wrote:
>> Joe Orton wrote, On 2008-07-28 16:09:
>>> On Sat, Jul 26, 2008 at 05:17:56PM -0700, Nelson Bolyard wrote:
Daniel Stenberg wrote, On 2008-07-26 13:45:
> As a user of OpenSSL, NSS, yassl and GnuTLS I can certainly agree that
> GnuTLS has
Nelson B Bolyard wrote:
Joe Orton wrote, On 2008-07-28 16:09:
On Sat, Jul 26, 2008 at 05:17:56PM -0700, Nelson Bolyard wrote:
Daniel Stenberg wrote, On 2008-07-26 13:45:
As a user of OpenSSL, NSS, yassl and GnuTLS I can certainly agree that
GnuTLS has flaws in its API but NSS m
On Mon, 28 Jul 2008, Nelson B Bolyard wrote:
> The requirement to put all cryptographically sensitive information into a
> well defined crypto boundary seems very elegant. It explains how NSS was
> able to work with so many third party crypto gizmos starting in the late
> 90's, and how it was
Rainer Gerhards wrote, On 2008-07-29 03:41 PDT:
> I am stepping in as a TLS-newbe who a few weeks ago selected to start
> a project with GnuTLS over NSS because there is very little
> *documentation* inside NSS that tells how to get started on a simple
> system that does not involve in-depth knowl
> -Original Message-
> The requirement to put all cryptographically sensitive
> information into a
> well defined crypto boundary seems very elegant. It explains
> how NSS was
> able to work with so many third party crypto gizmos starting
> in the late
> 90's, and how it was able to get
On Jul 27, 2:17 am, Nelson Bolyard <[EMAIL PROTECTED]>
wrote:
> Daniel Stenberg wrote, On 2008-07-26 13:45:
>
> > As a user of OpenSSL, NSS, yassl and GnuTLS I can certainly agree that
> > GnuTLS has flaws in its API but NSS most certainly also has flaws as well
> > _and_ notable missing features t
Wan-Teh Chang wrote, On 2008-07-28 18:20:
> On Mon, Jul 28, 2008 at 5:44 PM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
>> NSS's own PKCS#11 module claims to be 2.10 (don't know why, because it
>> has many features from 2.20).
>
> I believe we claim to be 2.20. See the NSC_GetInfo function:
> ht
On Mon, Jul 28, 2008 at 5:44 PM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
>
> NSS's own PKCS#11
> module claims to be 2.10 (don't know why, because it has many features from
> 2.20).
I believe we claim to be 2.20. See the NSC_GetInfo function:
http://mxr.mozilla.org/security/ident?i=NSC_GetInf
Joe Orton wrote, On 2008-07-28 16:09:
> On Sat, Jul 26, 2008 at 05:17:56PM -0700, Nelson Bolyard wrote:
>> Daniel Stenberg wrote, On 2008-07-26 13:45:
>>
>>> As a user of OpenSSL, NSS, yassl and GnuTLS I can certainly agree that
>>> GnuTLS has flaws in its API but NSS most certainly also has flaws
Kyle Hamilton wrote, On 2008-07-28 17:23:
> This is, honestly, a matter of "NSS's implementors decided to force
> administrators and users to jump through hoops." There may be
> legitimate policy concerns with certain policies that require
> everything to be inside the database that NSS uses.
Not
This is, honestly, a matter of "NSS's implementors decided to force
administrators and users to jump through hoops." There may be
legitimate policy concerns with certain policies that require
everything to be inside the database that NSS uses... but for those
who don't have those policy restrictio
On Sat, Jul 26, 2008 at 05:17:56PM -0700, Nelson Bolyard wrote:
> Daniel Stenberg wrote, On 2008-07-26 13:45:
>
> > As a user of OpenSSL, NSS, yassl and GnuTLS I can certainly agree that
> > GnuTLS has flaws in its API but NSS most certainly also has flaws as well
> > _and_ notable missing feature
Daniel Stenberg wrote, On 2008-07-28 13:48:
> On Mon, 28 Jul 2008, Nelson B Bolyard wrote:
>
>> NSS is quite capable of importing certificates in "PEM" format.
>
> Importing them where? If I want to use NSS for the TLS layer and I have
> the ca cert in a PEM format file, how can I make NSS use th
On Mon, 28 Jul 2008, Nelson B Bolyard wrote:
> NSS is quite capable of importing certificates in "PEM" format.
Importing them where? If I want to use NSS for the TLS layer and I have the ca
cert in a PEM format file, how can I make NSS use that file when I connect to
the peer?
My current code
Daniel Stenberg wrote, On 2008-07-28 09:12:
> On Sat, 26 Jul 2008, Nelson Bolyard wrote:
>
>>> As a user of OpenSSL, NSS, yassl and GnuTLS I can certainly agree that
>>> GnuTLS has flaws in its API but NSS most certainly also has flaws as well
>>> _and_ notable missing features that GnuTLS offer
On Sat, 26 Jul 2008, Nelson Bolyard wrote:
>> As a user of OpenSSL, NSS, yassl and GnuTLS I can certainly agree that
>> GnuTLS has flaws in its API but NSS most certainly also has flaws as well
>> _and_ notable missing features that GnuTLS offers.
>
> Daniel, please tell us what features are mis
Nelson Bolyard a écrit :
> [...]
> Daniel, please tell us what features are missing that you would actually use
> if they were present!
I recently selected Gnutls for a project, only because it was the only
library supporting TLS 1.1's Maximum Fragment Length Negotiation.
Daniel Stenberg wrote, On 2008-07-26 13:45:
> As a user of OpenSSL, NSS, yassl and GnuTLS I can certainly agree that
> GnuTLS has flaws in its API but NSS most certainly also has flaws as well
> _and_ notable missing features that GnuTLS offers.
Daniel, please tell us what features are missing th
On Sat, 26 Jul 2008, Michael Ströder wrote:
http://trac.gnutls.org/cgi-bin/trac.cgi/ticket/18#comment:1
(Well, they even aren't keeping their issue tracker spam-free...)
Please, spam is hardly their fault and I don't think you help them any way by
being rude.
As a user of OpenSSL, NSS, yass
Wan-Teh Chang wrote:
> On Thu, Jul 24, 2008 at 7:31 PM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
>> I've been told that GnuTLS's API only supports carrying non-binary
>> text strings as application data, and doesn't facilitate the transmission
>> of pure binary files (e.g. containing lots of zer
On Thu, Jul 24, 2008 at 7:31 PM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
>
> I've been told that GnuTLS's API only supports carrying non-binary
> text strings as application data, and doesn't facilitate the transmission
> of pure binary files (e.g. containing lots of zero bytes). I find that
>
Julien R Pierre - Sun Microsystems wrote:
> Copyright owner :
> RSA security should be removed !
> Netscape/Sun/Red Hats are the original developers of most of the code.
> But they don't hold the copyright (see GPL/LPGL/MPL licenses)
Let's not confuse licensing with copyright ownership. AFAIK Net
Daniel Stenberg wrote, On 2008-07-23 14:43:
> On Wed, 23 Jul 2008, Ruchi Lohani wrote:
>
>> Since a lot of open source softwares are using NSS, I wish to know whether
>> we have some documentation on specifics of
>>
>> OpenSSL and NSS and the advantages NSS has over OpenSSL. If so, can anybody
>
Paul,
Paul Hoffman wrote:
> At 11:43 PM +0200 7/23/08, Daniel Stenberg wrote:
>> If you can stand a comparison that also involves GnuTLS, then the
>> GnuTLS guys
>> have one:
>>
>> http://www.gnu.org/software/gnutls/comparison.html
>
> There are a lot of question marks on that for NSS. Some
On Wed, Jul 23, 2008 at 2:43 PM, Daniel Stenberg <[EMAIL PROTECTED]> wrote:
>
> If you can stand a comparison that also involves GnuTLS, then the GnuTLS guys
> have one:
>
>http://www.gnu.org/software/gnutls/comparison.html
That's a useful page.
The code size table is missing libfreebl3 a
At 11:43 PM +0200 7/23/08, Daniel Stenberg wrote:
>If you can stand a comparison that also involves GnuTLS, then the GnuTLS guys
>have one:
>
> http://www.gnu.org/software/gnutls/comparison.html
There are a lot of question marks on that for NSS. Someone familiar
with all the NSS extensions
On Wed, 23 Jul 2008, Ruchi Lohani wrote:
> Since a lot of open source softwares are using NSS, I wish to know whether
> we have some documentation on specifics of
>
> OpenSSL and NSS and the advantages NSS has over OpenSSL. If so, can anybody
> direct me over that or just give a brief comparison
Hi all,
Since a lot of open source softwares are using NSS, I wish to know
whether we have some documentation on specifics of
OpenSSL and NSS and the advantages NSS has over OpenSSL. If so, can
anybody direct me over that or just give a brief comparison of both.
Thanks
Ruchi
_
50 matches
Mail list logo
