Frank Hecker:
> Eddy Nigg wrote:
>> Frank, where is the lack of consensus exactly?
>
> IIRC the reason I changed the wording to "potentially problematic" was
> that some of the practices weren't necessarily "problematic" in all
> contexts, at least IMO. Thus, for example, distributing private keys
Eddy Nigg wrote:
> Frank Hecker:
>> Yes, I'll do that. (Incidentally, I'm now calling it the "potentially
>> problematic practices" list, because there's a lack of consensus on the
>> extent to which some of these practices are problems in general.)
>
> Frank, where is the lack of consensus exactl
Frank Hecker:
>
> Yes, I'll do that. (Incidentally, I'm now calling it the "potentially
> problematic practices" list, because there's a lack of consensus on the
> extent to which some of these practices are problems in general.)
>
Frank, where is the lack of consensus exactly? Are you referring t
Frank Hecker wrote:
> Robin Alden wrote:
>> Frank, would you consider these practices of issuing certificates to
>> hostnames* and also of issuing to non-internet routable IP addresses as
>> being something to add to your problematic practices list?
>
> Yes, I'll do that.
Done:
https://wiki.moz
Robin Alden:
>> I think an IP address is almost on the same level as a domain name, but
>> even here there can be problems. For example if you are willing to
>> validate dynamic assigned IP addresses, than this can be actively
>> exploited obviously. An assigned IP may belong to somebody else withi
Frank Hecker wrote:
> Frank Hecker wrote:
>> I am now opening the first public discussion period for a request from
>> Comodo to add the Comodo ECC Certification Authority root certificate
>> to Mozilla and enable it for EV use. This is bug 421946, and Kathleen
>> has produced an information doc
Robin Alden wrote:
> Sure, but CAs issue certificates to IP addresses too (as we discuss below)
> yet the policy does not allow for the possibility. Either the policy is
> imprecise, or it is being flouted by the CAs that issue certificates for IP
> addresses.
You're correct, this is a gap in our
On Wed, Aug 6, 2008 at 1:11 PM, Eddy Nigg <[EMAIL PROTECTED]> wrote:
>
> In other words, Comodo would issue multiple certificates for the very
> same domain name? You could have multiple valid certificates for
> www.mozilla.com?
Technically, there is absolutely nothing wrong with this. Multiple
I
> -Original Message-
> From: Eddy Nigg
> Sent: Wednesday, August 06, 2008 9:12 PM
> To: dev-tech-crypto@lists.mozilla.org
> Subject: Re: Comodo ECC CA inclusion/EV request
>
> Robin Alden:
> > Eddy Nigg said:
> >> In http://www.mozilla.org/proje
Jean-Marc Desperrier:
>
> That part is of course much more dubious. But if you consider hostname
> only servers to be acceptable, there's little ground to say multiple
> subscrivers can't have one with the same name. Even if you'd decide to
> try to enforce that, there's no way to restrein another
Eddy Nigg a écrit :
> [...]
> In other words, Comodo would issue multiple certificates for the very
> same domain name? You could have multiple valid certificates for
> www.mozilla.com?
It's an actually useful option. You may want the multiple servers that
will answer for www.mozilla.com to not s
Robin Alden:
> Eddy Nigg said:
>> In http://www.mozilla.org/projects/security/certs/policy/ section 7
>> explicitly states:
>>
>> "for a certificate to be used for SSL-enabled servers, the CA takes
>> reasonable measures to verify that the entity submitting the certificate
>> signing request has re
Eddy Nigg wrote:
> My point was that Comodo does issue certificates according to the
> problematic practices listed in our document. Not only that, it does
> more than one of those practices. You stated in the bug however that
> Comodo doesn't issue certificates according to the "Problematic Pra
Eddy Nigg said:-
> Robin Alden:
> > f) refers to an SSL product which is limited in such a way that it isn't
> > generally usable on the public internet. We offer no warranty on the
> > product, and the main part of the domain validation is to ensure that
> the
> > domain name in the certificate i
Robin Alden:
> f) refers to an SSL product which is limited in such a way that it isn't
> generally usable on the public internet. We offer no warranty on the
> product, and the main part of the domain validation is to ensure that the
> domain name in the certificate is not a valid internet name o
Frank Hecker:
> Eddy Nigg wrote:
>> As per your comment in
>> https://bugzilla.mozilla.org/show_bug.cgi?id=421946#c17 you state that
>> no problematic
>> practices associated with this CA, but I found that in section 2.4.1
>> domain validated wild cards are issued, which is listed in
>> http://
Robin Alden:
> f) refers to an SSL product which is limited in such a way that it isn't
> generally usable on the public internet. We offer no warranty on the
> product, and the main part of the domain validation is to ensure that the
> domain name in the certificate is not a valid internet name o
Eddy Nigg wrote:
> As per your comment in
> https://bugzilla.mozilla.org/show_bug.cgi?id=421946#c17 you state that
> no problematic
> practices associated with this CA, but I found that in section 2.4.1
> domain validated wild cards are issued, which is listed in
> http://wiki.mozilla.org/CA:Pr
Robin Alden wrote:-
> Eddy Nigg wrote:-
> > Oh and f) is also interesting ;-), I wonder how many
> > "localhost" certificates were issued so far...
> [Robin said...]
> Not many! We do issue quite a number for organizations to use internally
> on
> other names, though.
> E.g. if we have a server on
Eddy Nigg wrote:-
> (to Frank Hecker)
> As per your comment in
> https://bugzilla.mozilla.org/show_bug.cgi?id=421946#c17 you
> state that no problematic practices associated with this CA,
> but I found that in section 2.4.1 domain validated wild cards
> are issued, which is listed in
>
http://wiki.
Frank Hecker:
> Frank Hecker wrote:
>> I am now opening the first public discussion period for a request from
>> Comodo to add the Comodo ECC Certification Authority root certificate
>> to Mozilla and enable it for EV use. This is bug 421946, and Kathleen
>> has produced an information document att
Frank Hecker wrote:
> I am now opening the first public discussion period for a request from
> Comodo to add the Comodo ECC Certification Authority root certificate to
> Mozilla and enable it for EV use. This is bug 421946, and Kathleen has
> produced an information document attached to the bug.
On Saturday 19 July 2008 19:30:51 Paul Hoffman wrote:
> At 11:04 AM +0100 7/19/08, Rob Stradling wrote:
> >I think that the ECDSA signature algorithms will only be supported in
> > OpenSSL 0.9.9 (not yet released) and above.
> >
> >Try a recent openssl-SNAP-2008mmdd.tar.gz from
> > ftp://ftp.openss
>Paul Hoffman wrote:
>> At 3:24 PM -0700 7/18/08, Wan-Teh Chang wrote:
>>> On Fri, Jul 18, 2008 at 1:58 PM, Paul Hoffman <[EMAIL PROTECTED]>
>>> wrote:
> There's a test site with a Comodo-issued ECC cert at
> https://comodoecccertificationauthority-ev.comodoca.com/
...which no br
Paul Hoffman wrote:
> At 3:24 PM -0700 7/18/08, Wan-Teh Chang wrote:
>> On Fri, Jul 18, 2008 at 1:58 PM, Paul Hoffman <[EMAIL PROTECTED]>
>> wrote:
There's a test site with a Comodo-issued ECC cert at
https://comodoecccertificationauthority-ev.comodoca.com/
>>> ...which no browser will le
Nelson B Bolyard wrote:
>
> Frank Hecker wrote, On 2008-07-18 15:18:
>> Paul Hoffman wrote:
>>> At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
Paul Hoffman wrote:
> Has anyone validated the ECC paramters they used?
Not that I'm aware.
>>> I think that's unfortunate. It is easy
Paul Hoffman wrote, On 2008-07-18 20:00:
>> 2. Import that root CA cert.
>
> restart FF (at least 3)...
should not be necessary. Might be necessary to see the cert in the UI,
due to possible UI issues, but is not required in NSS.
>> I hope you trust the ECC implementation in NSS.
>
> I
Frank Hecker wrote, On 2008-07-18 15:18:
> Paul Hoffman wrote:
>> At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
>>> Paul Hoffman wrote:
>>> > Has anyone validated the ECC paramters they used?
>>>
>>> Not that I'm aware.
>> I think that's unfortunate. It is easy for all of us to test the
>> param
At 11:04 AM +0100 7/19/08, Rob Stradling wrote:
>I think that the ECDSA signature algorithms will only be supported in OpenSSL
>0.9.9 (not yet released) and above.
>
>Try a recent openssl-SNAP-2008mmdd.tar.gz from ftp://ftp.openssl.org/snapshot
>instead.
Will do.
Non-mandatory question: what soft
On Saturday 19 July 2008 00:26:57 Paul Hoffman wrote:
> At 6:18 PM -0400 7/18/08, Frank Hecker wrote:
> >Paul Hoffman wrote:
> >> At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
> >>> Paul Hoffman wrote:
> >>> > Has anyone validated the ECC paramters they used?
> >>>
> >>> Not that I'm aware.
>
At 3:24 PM -0700 7/18/08, Wan-Teh Chang wrote:
>On Fri, Jul 18, 2008 at 1:58 PM, Paul Hoffman <[EMAIL PROTECTED]> wrote:
>>
>>>There's a test site with a Comodo-issued ECC cert at
>>>
>>> https://comodoecccertificationauthority-ev.comodoca.com/
>>
>> ...which no browser will let me into. :-)
>
On Fri, Jul 18, 2008 at 1:58 PM, Paul Hoffman <[EMAIL PROTECTED]> wrote:
>
>>There's a test site with a Comodo-issued ECC cert at
>>
>>https://comodoecccertificationauthority-ev.comodoca.com/
>
> ...which no browser will let me into. :-)
>
>>and the Comodo ECC root CA cert itself is available a
At 6:18 PM -0400 7/18/08, Frank Hecker wrote:
>Paul Hoffman wrote:
>> At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
>>> Paul Hoffman wrote:
>>> > Has anyone validated the ECC paramters they used?
>>>
>>> Not that I'm aware.
>>
>> I think that's unfortunate. It is easy for all of us to test th
Paul Hoffman wrote:
> At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
>> Paul Hoffman wrote:
>> > Has anyone validated the ECC paramters they used?
>>
>> Not that I'm aware.
>
> I think that's unfortunate. It is easy for all of us to test the
> parameters for RSA certs, but few of us have software
At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
>Paul Hoffman wrote:
> > Has anyone validated the ECC paramters they used?
>
>Not that I'm aware.
I think that's unfortunate. It is easy for all of us to test the
parameters for RSA certs, but few of us have software for testing ECC
certs.
>There's
On Fri, Jul 18, 2008 at 12:48 PM, Frank Hecker
<[EMAIL PROTECTED]> wrote:
> Wan-Teh Chang wrote:
>> In your summary of information for CAs, you
>> should replace "Modulus (key length)" by "EC parameters (named curve)"
>> for ECC roots.
>
> I've revised the information checklist to reflect your comm
Wan-Teh Chang wrote:
> In your summary of information for CAs, you
> should replace "Modulus (key length)" by "EC parameters (named curve)"
> for ECC roots.
I've revised the information checklist to reflect your comments; see
item 2.6:
http://wiki.mozilla.org/CA:Information_checklist
Please let
On Fri, Jul 18, 2008 at 6:27 AM, Frank Hecker
<[EMAIL PROTECTED]> wrote:
> Paul Hoffman wrote:
>> Has anyone validated the ECC paramters they used?
>
> Not that I'm aware. There's a test site with a Comodo-issued ECC cert at
>
> https://comodoecccertificationauthority-ev.comodoca.com/
>
> and the
On Thu, Jul 17, 2008 at 8:54 PM, Paul Hoffman <[EMAIL PROTECTED]> wrote:
> Has anyone validated the ECC paramters they used?
They use the NIST P-384 curve (secp384r1), which is in NSA Suite B.
Wan-Teh
___
dev-tech-crypto mailing list
dev-tech-crypto@lis
Paul Hoffman wrote:
> Has anyone validated the ECC paramters they used?
Not that I'm aware. There's a test site with a Comodo-issued ECC cert at
https://comodoecccertificationauthority-ev.comodoca.com/
and the Comodo ECC root CA cert itself is available at
http://crt.comodoca.com/COMODOEC
Has anyone validated the ECC paramters they used?
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
41 matches
Mail list logo
