Re: SHA256 certificate support in Firefox.
2010/3/19 Mountie Lee moun...@paygate.net: Hi. I got to understand the differences and limitations. personal certificate signed by CA with SHA256 is OK in current firefox. the CertificateVerify step of SSL handshaking procedure does not support SHA256 in current firefox. right? Yes, that's right. Does OpenSSL support TLS 1.2 now? What TLS 1.2 server you are using? Microsoft IIS? Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SHA256 certificate support in Firefox.
On 2010/03/18 19:55 PST, Mountie Lee wrote: Hi. all. I'm Mountie Lee of PayGate, Korea. Welcome. in Korea, National PKI is becoming big issue maker. one of good considerations is storing National Certificate to Browser KeyStore. Are you talking about a root CA certificate? Or a user's own personal certificate? or both? or ?? also KISA has planned to upgrade certificate specification using SHA256 hash algorithm in next year. but current firefox version does not seem to support SHA256 certificate. I believe that it does. Why do you think that it does not? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SHA256 certificate support in Firefox.
On 2010/03/18 20:09 PST, Gen Kanai wrote: KISA = Korea Internet Security Agency (a Korean government body that manages infosec policy.) Yeah, the NSS team has had a fair amount of interaction with KISA in the past, such as when we integrated their implementations of SEED and the TLS SEED cipher suites. It looks like Mountie has a good command of English. That will help a lot. Language has been a barrier in the past to numerous South Korean efforts to promote their ciphers and their PKI designs and standards. I welcome the participation of those who can and wish to bridge that gap. Regards, /Nelson -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SHA256 certificate support in Firefox.
On 3/19/10 3:37 PM, Nelson B Bolyard wrote: On 2010/03/18 19:55 PST, Mountie Lee wrote: Hi. all. I'm Mountie Lee of PayGate, Korea. Welcome. in Korea, National PKI is becoming big issue maker. one of good considerations is storing National Certificate to Browser KeyStore. Are you talking about a root CA certificate? Or a user's own personal certificate? or both? or ?? also KISA has planned to upgrade certificate specification using SHA256 hash algorithm in next year. but current firefox version does not seem to support SHA256 certificate. I believe that it does. Why do you think that it does not? Could we be bumping up against that content handler bug for pkcs client certs? https://bugzilla.mozilla.org/show_bug.cgi?id=542441 -- Gen Kanai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SHA256 certificate support in Firefox.
Am Freitag 19 März 2010 schrieb Mountie Lee: May I ask Firefox has plan to support SHA256 in near future or URL link for discussion thread? I have set up a test site with sha256/sha512 certificates and they work pretty well within all browsers I've tested including firefox. See here: http://hboeck.de/archives/730-SSL-Certificates-with-SHA256-signature.html And here: https://sha2.hboeck.de/ https://sha512.hboeck.de/ The question is: What do you mean with support SHA256? SSL uses hash algorithms at various places, but certificates signed with sha256 + rsa are well supported by ff and nss. But for example it's from my knowledge not posssible to get a sha256- fingerprint of a certificate in firefox. -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:ha...@hboeck.de http://schokokeks.org - professional webhosting signature.asc Description: This is a digitally signed message part. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SHA256 certificate support in Firefox.
Hi. sha256 certificate means client certificate using sha256 for ssl client authentication. regards. mountie. 2010/3/20 Hanno Böck ha...@hboeck.de Am Freitag 19 März 2010 schrieb Mountie Lee: May I ask Firefox has plan to support SHA256 in near future or URL link for discussion thread? I have set up a test site with sha256/sha512 certificates and they work pretty well within all browsers I've tested including firefox. See here: http://hboeck.de/archives/730-SSL-Certificates-with-SHA256-signature.html And here: https://sha2.hboeck.de/ https://sha512.hboeck.de/ The question is: What do you mean with support SHA256? SSL uses hash algorithms at various places, but certificates signed with sha256 + rsa are well supported by ff and nss. But for example it's from my knowledge not posssible to get a sha256- fingerprint of a certificate in firefox. -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:ha...@hboeck.de http://schokokeks.org - professional webhosting -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- Mountie Lee Tel : +82 2 2140 2700 E-Mail : moun...@paygate.net Twitter : mountielee === PayGate Inc. * WEB STANDARD PAYMENT * PCI DSS 100% COMPLIANT * www.paygate.net * payg...@paygate.net -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SHA256 certificate support in Firefox.
hi. I read the thread #542441. that is about mime type handling in firefox. and has no relation with my question. On Fri, Mar 19, 2010 at 4:09 PM, Gen Kanai gka...@gmail.com wrote: On 3/19/10 3:37 PM, Nelson B Bolyard wrote: On 2010/03/18 19:55 PST, Mountie Lee wrote: Hi. all. I'm Mountie Lee of PayGate, Korea. Welcome. in Korea, National PKI is becoming big issue maker. one of good considerations is storing National Certificate to Browser KeyStore. Are you talking about a root CA certificate? Or a user's own personal certificate? or both? or ?? also KISA has planned to upgrade certificate specification using SHA256 hash algorithm in next year. but current firefox version does not seem to support SHA256 certificate. I believe that it does. Why do you think that it does not? Could we be bumping up against that content handler bug for pkcs client certs? https://bugzilla.mozilla.org/show_bug.cgi?id=542441 -- Gen Kanai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- Mountie Lee Tel : +82 2 2140 2700 E-Mail : moun...@paygate.net Twitter : mountielee === PayGate Inc. * WEB STANDARD PAYMENT * PCI DSS 100% COMPLIANT * www.paygate.net * payg...@paygate.net -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SHA256 certificate support in Firefox.
2010/3/19 Mountie Lee moun...@paygate.net: Hi. sha256 certificate means client certificate using sha256 for ssl client authentication. If you mean the signature in the TLS/SSL CertificateVerify message, then only TLS 1.2 allows you to use a SHA-256 signature, and NSS doesn't support TLS 1.2 yet. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SHA256 certificate support in Firefox.
On Fri, Mar 19, 2010 at 6:50 PM, Wan-Teh Chang w...@google.com wrote: 2010/3/19 Mountie Lee moun...@paygate.net: Hi. sha256 certificate means client certificate using sha256 for ssl client authentication. If you mean the signature in the TLS/SSL CertificateVerify message, then only TLS 1.2 allows you to use a SHA-256 signature, and NSS doesn't support TLS 1.2 yet. I should clarify that NSS can still use a client certificate signed by its CA with a SHA-256 signature to do SSL client authentication. It's just that the signature in the CertificateVerify message will be the format specified in TLS 1.0/SSL 3.0. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SHA256 certificate support in Firefox.
Hi. I got to understand the differences and limitations. personal certificate signed by CA with SHA256 is OK in current firefox. the CertificateVerify step of SSL handshaking procedure does not support SHA256 in current firefox. right? regards. mountie. On Sat, Mar 20, 2010 at 10:53 AM, Wan-Teh Chang w...@google.com wrote: On Fri, Mar 19, 2010 at 6:50 PM, Wan-Teh Chang w...@google.com wrote: 2010/3/19 Mountie Lee moun...@paygate.net: Hi. sha256 certificate means client certificate using sha256 for ssl client authentication. If you mean the signature in the TLS/SSL CertificateVerify message, then only TLS 1.2 allows you to use a SHA-256 signature, and NSS doesn't support TLS 1.2 yet. I should clarify that NSS can still use a client certificate signed by its CA with a SHA-256 signature to do SSL client authentication. It's just that the signature in the CertificateVerify message will be the format specified in TLS 1.0/SSL 3.0. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- Mountie Lee Tel : +82 2 2140 2700 E-Mail : moun...@paygate.net Twitter : mountielee === PayGate Inc. * WEB STANDARD PAYMENT * PCI DSS 100% COMPLIANT * www.paygate.net * payg...@paygate.net -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SHA256 certificate support in Firefox.
KISA = Korea Internet Security Agency (a Korean government body that manages infosec policy.) http://www.kisa.or.kr/eng/index.jsp On 3/19/10 11:55 AM, Mountie Lee wrote: Hi. all. I'm Mountie Lee of PayGate, Korea. in Korea, National PKI is becoming big issue maker. one of good considerations is storing National Certificate to Browser KeyStore. also KISA has planned to upgrade certificate specification using SHA256 hash algorithm in next year. but current firefox version does not seem to support SHA256 certificate. May I ask Firefox has plan to support SHA256 in near future or URL link for discussion thread? -- Mountie Lee Tel : +82 2 2140 2700 E-Mail : moun...@paygate.net mailto:moun...@paygate.net Twitter : mountielee === PayGate Inc. * WEB STANDARD PAYMENT * PCI DSS 100% COMPLIANT * www.paygate.net * payg...@paygate.net -- Gen Kanai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SHA256 certificate support in Firefox.
Hi. thanks for your fast reply. I understand NSS support SHA256 from 2003 with version 3.8 does the latest firefox use the latest NSS library? best regards. mountie. On Fri, Mar 19, 2010 at 12:06 PM, Kurt Seifried k...@seifried.org wrote: Replying off list. 10 April 2003: NSS 3.8 Release The new features and enhancements in NSS 3.8 include the SHA-256, SHA-384, and SHA-512 algorithms, enhanced smartcard support, and the elliptic curve cryptography code (not compiled by default) contributed by Sun Labs. For details, see NSS 3.8 Release Notes. NSS claims to support it sine 2003. If it truly doesn't than that sounds like a pretty bad bug. 2010/3/18 Mountie Lee moun...@paygate.net: Hi. all. I'm Mountie Lee of PayGate, Korea. in Korea, National PKI is becoming big issue maker. one of good considerations is storing National Certificate to Browser KeyStore. also KISA has planned to upgrade certificate specification using SHA256 hash algorithm in next year. but current firefox version does not seem to support SHA256 certificate. May I ask Firefox has plan to support SHA256 in near future or URL link for discussion thread? -- Mountie Lee Tel : +82 2 2140 2700 E-Mail : moun...@paygate.net Twitter : mountielee === PayGate Inc. * WEB STANDARD PAYMENT * PCI DSS 100% COMPLIANT * www.paygate.net * payg...@paygate.net -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- Mountie Lee Tel : +82 2 2140 2700 E-Mail : moun...@paygate.net Twitter : mountielee === PayGate Inc. * WEB STANDARD PAYMENT * PCI DSS 100% COMPLIANT * www.paygate.net * payg...@paygate.net -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SHA256 certificate support in Firefox.
Hi! On Mar 19, 12:22 pm, Mountie Lee moun...@paygate.net wrote: Hi. thanks for your fast reply. I understand NSS support SHA256 from 2003 with version 3.8 does the latest firefox use the latest NSS library? best regards. mountie. Current Firefox 3.5.8 and 3.6.1 seem to include NSS 3.12.5. regards, Akira Machida / JCSI -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto