Re: CRL Management
Scott Rea wrote: How come there is not an option to simply import a CRL in the Manage CRL window??[Preferences/Privacy Security/Validation/Manage CRLs] Why is there no option to export Other certs in the Manage Certificate interface??? Because this kind of options are only added as people require them ... When importing certificates, it would appear that certs stored in binary do not work, only pem or base64 encoded certs seem to be able to be imported. Is this correct? Cert in binary should work. Make sure you receive no extra data at the end. ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
LDAP CRLs
Can anyone tell me how I can import and manage a CRL from an LDAP URI? -Scott ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: LDAP CRLs
Scott Rea wrote: Can anyone tell me how I can import and manage a CRL from an LDAP URI? I'm not sure what you mean. Can you be more specific? Import and manage from what app? -Scott ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: CRL Management
Scott Rea wrote: Jean-Marc Desperrier wrote: Scott Rea wrote: How come there is not an option to simply import a CRL in the Manage CRL window??[Preferences/Privacy Security/Validation/Manage CRLs] Why is there no option to export Other certs in the Manage Certificate interface??? Because this kind of options are only added as people require them ... OK, we require them, This was just my personnal comment. I feel that the way the PKI interface have been implemented in Mozilla is not developper/power user friendly, only the functionnality the average joe needs are there, and additionnal functionnality has been only slowly added. For example, when import was added for other cert/CA, the thinking was not pushed enough to add it in the case you rise here. About importing crl, dropping a .crl file on a browser window should import it under window OS. how do we get them added to the list of future fuctionality and what is the usual timeframe for something like this to make it from design to release? The end of the support of Mozilla by AOL means that there is no more one central entity making such decision. Of course mozilla.org will centralize such things, but is itself dependant on external contributions for the man power. And right now mozilla.org is missing such contribution for the PKI/Personal Security Manager part of Mozilla. There's is extremly few people available working on that. AOL/SUN have their own agenda that at least at the time being push them to devote some ressource to the development of NSS, but not to the one of the higher level interface. And what you request typically belongs to that level. As well as the apparent bug for cert importation. The positive point is that if you are willing to make it, you will be warmly welcomed. ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: Write protected PKCS#11 Soft Token?
Andy Duplain wrote: Your choices are: (a) try to generate a session object, or (b) try to generate a token object in the Certificate DB token (which might work). OK, I'll give that a try. Presumably I have to use C_Login to gain write access to that token? I have written another mini test program and login to that token, which succeeds, however the token still has CKF_WRITE_PROTECTED set from C_GetTokenInfo. For the Certificate DB slot? I encourage you to take a look at http://lxr.mozilla.org/mozilla/source/security/nss/lib/softoken/pkcs11.c#2922 which is the source to NSS's C_GetToken Info. You'll see that this function returns one of four combinations of flags: 1. CKF_RNG | CKF_WRITE_PROTECTED | CKF_THREAD_SAFE; 2. CKF_THREAD_SAFE | CKF_LOGIN_REQUIRED; 3. CKF_THREAD_SAFE | CKF_USER_PIN_INITIALIZED; 4. CKF_THREAD_SAFE | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED; The WRITE_PROTECTED flag is only (and always) set for a slot that doesn't have an open key DB. So, either (a) you're checking the Generic slot, or (b) the key DB really isn't open in the Certificate DB slot. -- Nelson B ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: CRL Management
Scott, Scott Rea wrote: OK, we require them, how do we get them added to the list of future fuctionality and what is the usual timeframe for something like this to make it from design to release? The first step to get this into Mozilla would be to file a bug in bugzilla, of type enhancement request, on component PSM (Personal Security Manager). The next step would be to find a programmer to implement it. As far as I am aware, there is no one officially working on PSM at this time. So you may want to contribute your own time or find a programmer willing to add the functionality. At the core it is not very difficult with NSS, I suspect the user interface work is the most complicated part. When importing certificates, it would appear that certs stored in binary do not work, only pem or base64 encoded certs seem to be able to be imported. Is this correct? Cert in binary should work. Make sure you receive no extra data at the end. As Jean-Marc said, binary certs should work. Try to use the extension .der for the ones that don't work and see if that fixes the problem. Further investigation shows that binary certs do work (some of the time). I can take a binary (or base64) encoded cert and import into the Other store, sometimes it just does not work and I get a silent failure i.e. no notice of fail, cert just does not show up (perhaps this could be a refresh issue) But if I just try the cert again, next time around it seems to work - this appears to be a bug. The UI part for importing certs in Mozilla certainly seems weak. You should file a bug for it (again against PSM). ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
