Re: Improving SSL client auth and bad certificate reporting in non-browser applications
On 26/03/10 19:04, Kai Engert wrote: thanks a lot for your feedback. I've created a graphical presentation for the client authentication part: http://kuix.de/mozilla/sslauth/cli-v1-pres/ I still haven't had a chance to look at this :-(( I'm very sorry. (I do have a good excuse, though: http://weblogs.mozillazine.org/gerv/archives/2010/04/a_speech_for_easter_sunday.html) Gerv -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: S/MIME interop issue with Outlook 2010 beta
On 31/03/2010 17:11, Kaspar Brand wrote: On 31.03.2010 07:49, Michael Ströder wrote: It seems it's a CMS structure and recipientInfos contains subject key ids instead of issuerAndSerialNumber. It seems Seamonkey 2.0.x does not support that. Is it supported by the underlying libs? I believe so, see http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/smime/cmsreclist.cmark=89-91#85 That's the code which is used by nsCMSMessage (http://mxr.mozilla.org/comm-central/ident?i=nsCMSMessage), and therefore also by Seamonkey. Are you certain ? Previously we found out real ugly SMIME code that hardcodes the use of SHA-1 : http://groups.google.fr/group/mozilla.dev.tech.crypto/msg/7a15dafef963fe20 and here directly for the code https://mxr.mozilla.org/comm-central/source/mailnews/extensions/smime/src/nsMsgComposeSecure.cpp#496 When I checked, I concluded that code reimplements everything on top on low level pkcs#7 (nss/lib/pkcs7/) and makes no use of nss/lib/smime. I need to check the code you digg out here. It seems very confusing. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Alerts on TLS Renegotiation
On 4/9/2010 6:06 PM, Matt McCutchen wrote: On Fri, 2010-04-09 at 09:34 -0700, johnjbarton wrote: On 4/8/2010 12:13 PM, Matt McCutchen wrote: On Thu, 2010-04-08 at 09:35 -0700, johnjbarton wrote: On 4/7/2010 9:35 PM, Nelson B Bolyard wrote: ... Inconveniencing the users is a NECESSARY part of getting this vulnerability fixed. Without that, the servers have NO INCENTIVE to lift a finger to fix this. ... The claim is obviously false as the recent update to Firefox 3.6.3 clearly demonstrates. If servers operators believe their users are at risk, then they will take immediate action to protect them. Firefox developers != server operators. Both groups are committed to their users and both groups will respond to realistic security threats to their users. Neither group should be blackmailed into pointless action by badgering users. Are you saying that Mozilla shouldn't encourage users to bother their server operators because if the problem were real, the server operators would already have fixed it? I think you give the server operators way too much credit. People are lazy. I trust Mozilla much more than the average sysadmin to properly assess vulnerabilities. Your assessment of the relative commitment and competence of these two groups of people is unjustified by facts. Besides, in my view, the problem is real. For better or for worse, the goal of SSL has always been to provide complete protection against a middleman who controls the network. And for certain designs of Web apps which are not intrinsically unreasonable (see my other message), it completely fails to prevent a middleman from subverting your requests. I appreciate your commitment to improving Web security. Please channel this passion in a respectful fashion. Rather than arrogantly asserting superiority over server admins and irresponsibly exhorting users to harass them, build a clearer case for the potential dangers here. Then contact the communications people in Mozilla, large international Web service companies, professional organizations of server administrators, news organizations, slash.dot, and so forth. Explain the problem and the fix. This procedure will prepare you and the people you contact for future similar problems and strengthen our entire system. jjb -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Certificate Patrol error (or malformed ssl certificate?)
So I logged in to a bank today and Certificate Patrol threw up a warning I haven't seen before (see attached image). What is wrong with this you ask? Look at the dates on the certificates. When is 204/19/2010 exactly? So I downloaded the certificate and ran it through openssl, the text output looks ok, and it looks ok in Firefox's certificate screen. I can't find a way to contact certificate patrol to report a bug though: https://addons.mozilla.org/en-US/firefox/addon/6415 This is the first time I have seen Certificate Patrol do this. If anyone knows how to contact them if you could forward this on I'd appreciate it, or let me know how to contact them that'd work to. CC'ing Joe Schiavo as well just in case the certificate is broken in a subtle manner (although as best I can tell it's ok). It might be a good idea to require some sort of contact info (i.e. email address) or a website with useful information for add-ons so people can get in contact with authors to report bugs/etc. -Kurt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
During the Certificate issue process, is there anyway to select a token for user automatically?
Hi, I'm working on a Certificate renew process for a bank in china. The bank stored the certificate in a USB key, and when the user needs to renew the certificate, the bank will trigger the cert issue process to do that, using keygen. But when the issue begins, because the USB key, which is a token, is connected to the computer, that will cause the Firefox detect at least 2 tokens, and a dialog will popup and tell the user to select a token. But, if the user select the software token embedded in Firefox, which is the default choice, then the cert issue process will be in vain, although it may succeed. Is there anyway to automatically select a token for the user, So that the token choose dialog does not appear? Thank you very much in advance:) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto