is
outside of NSS:
http://webpki.org/papers/key-access.pdf
Regards,
Anders Rundgren
-Dan Veditz
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
that the groundwork me and my colleges have done could be useful.
Regards,
Anders Rundgren
-Dan Veditz
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Somewhat unfortunate for Microsoft and Intel who have bet the house on TPMs
(Trusted Platform Modules), all their competitors in the mobile space including Google
and Apple, have rather settled on embedded TEE (Trusted Execution Environment) schemes
enabling systems like this:
I'm trying to implement SKS/KeyGen2 in Firefox. This scheme is heavily based
on EC keys.
According to this file
https://chromium.googlesource.com/chromium/chromium/+/master/crypto/ec_private_key_nss.cc
PK11_ImportDERPrivateKeyInfoAndReturnKey doesn't support EC keys.
This was reported 2006.
Is
On 2013-10-10 01:36, Nathan Kinder wrote:
On 09/28/2013 12:17 PM, Brian Smith wrote:
On Sat, Sep 28, 2013 at 7:52 AM, Sean Leonard dev+mozi...@seantek.com
wrote:
On 9/27/2013 5:51 PM, Robert Relyea wrote:
I don't have a problem with going for an industry standard way of doing
all of these
On 2013-10-10 01:36, Nathan Kinder wrote:
On 09/28/2013 12:17 PM, Brian Smith wrote:
On Sat, Sep 28, 2013 at 7:52 AM, Sean Leonard dev+mozi...@seantek.com
wrote:
On 9/27/2013 5:51 PM, Robert Relyea wrote:
I don't have a problem with going for an industry standard way of doing
all of these
snip
Although currently Firefox doesn't display nickname to users in PSM,
but in the near future, FirefoxOS (B2G) will need to display this
(nickname) to the user,
FirefoxOS needs a completely renovated PKI client in order to be
competitive and useful.
Issuer-defined Icons for credential
On 2013-05-15 11:35, Yoshi Huang wrote:
Hi,
Currently on Firefox OS (B2G), there's no Web API could install PKCS 12.
The use cases could be Wifi, VPN,... etc.
Some examples can be found on Android, see [1]
Although I have found WebCrypto in the wiki and bugzilla,
but it seems it didn't
On 2013-04-08 14:52, helpcrypto helpcrypto wr
ote:
More generally, I would like to remove all the Mozilla-proprietary methods
and properties from window.crypto; i.e. all the
ones athttps://developer.mozilla.org/en-US/docs/JavaScript_crypto. Some of
them are actually pretty problematic.
Are
On 2013-04-08 15:21, helpcrypto helpcrypto wrote:
On Mon, Apr 8, 2013 at 12:10 PM, Anders Rundgren
anders.rundg...@telia.com wrote:
This seems to be out of scope:
http://lists.w3.org/Archives/Public/public-webcrypto/2013Apr/0072.html
Hi Anders.
As it scopes signning:
http://www.w3.org
On 2013-04-01 23:46, Brian Smith wrote:
See https://bugzilla.mozilla.org/show_bug.cgi?id=524664 (bug 524664) and
See
https://developer.mozilla.org/en-US/docs/JavaScript_crypto/generateCRMFRequest
My understanding is that keygen is supposed to replace
window.crypto.generateCRMFRequest.
On 2013-02-21 09:22, helpcrypto helpcrypto wrote:
So, to sum up:
Will it be possible, using Web-Crypto API, to sign using a Pkcs#11
key/cert? What about MSCAPI key/cert?
No.
Will it be possible, using Web-Crypto API, to sign in batch-mode?
Since your requirement was associated with
On 2013-02-21 12:28, helpcrypto helpcrypto wrote:
BTW, what is this?
http://html5.creation.net/webcrypto-api/
These are the s.c. Korean Use-cases which have largely been ignored by the
Web Crypto WG.
Anders
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
Will it be possible, using Web-Crypto API, to sign in batch-mode?
Like this, I presume:
http://www.secrypt.de/en/products/digiseal-office-pro
I believe Germany is about the only country using such schemes.
IMO it is based on an altogether weird interpretation and use of
the EU signature
On Thu, Feb 21, 2013 at 4:51 PM, Anders Rundgren
anders.rundg...@telia.com wrote:
Will it be possible, using Web-Crypto API, to sign in batch-mode?
Like this, I presume:
http://www.secrypt.de/en/products/digiseal-office-pro
I believe Germany is about the only country using
On 2013-02-15 09:46, helpcrypto helpcrypto wrote:
snip
IMHO, once we have a pkcs#11 interface to handle any smartcard, even
installed cert using NSS softoken, and maybe a wrapper to mscapi...the
only thing left is to use those certs stored somewhere with your
javascript API.
The problem
On 2013-02-15 11:32, helpcrypto helpcrypto wrote:
The problem with this approach is that you expose keys to arbitrary
javascript
code which is rather different to for example TLS-client-certificate
authentication which only exposes a high-level mechanism as well as a
[reasonably] secure
On 2013-02-15 06:38, Martin Paljak wrote:
Hello,
On Thu, Feb 14, 2013 at 5:48 PM, David Dahl dd...@mozilla.com wrote:
I do understand the frustration you must feel in trying to get browsers
to work closely with your national ID/Cert system. There are many such
systems, and trying to create
On 2012-12-31 16:18, Kai Engert wrote:
I propose to more actively involve users into the process of accepting
certificates for domains.
If we get away from garbage like keygen, PKI-based authentication
becomes a natural feature for mobile devices. This in itself render
the mentioned attacks
On 2012-12-31 16:26, Kai Engert wrote:
I propose to more actively involve users into the process of accepting
certificates for domains.
Although the recent CA failures cast a shadow over the web they have AFAIK
not led to any major losses for anybody.
The credit-card system OTOH is a major
During the Netscape heydays keygen was probably pretty OK. However, that was
a long time ago.
In fact, keygen only meets a single of the dozen+ imaginable features
outlined here:
http://webpki.org/papers/PKI/certenroll-features.pdf
For the PC platform which seems to resist all modernization
On 2012-12-13 17:10, Kai Engert wrote:
Brendan Eich suggested posting to this list, too
(already posted yesterday to Mozilla's dev-planning list).
Hello Mozilla, I'd like to announce a change.
PSM is the name of Mozilla's glue code for PKI related [1] security
features, such as
Hi Julien,
What is Oracle's interest in NSS?
IMO, NSS and JDK are behind the rest of the crypto world due to the
lack of integration with the target OS.
It is possible that this is a no-issue for server-companies like RedHat
but for Mozilla OS it spells disaster. That is, cryptographic keys
I've heard about the Firefox OS but haven't been able to find much information
about the internals, at least not the crypto-part.
Anyway, I guess that Firefox OS uses NSS?
Is it still is based on the idea that key access is done in the application
context rather than through a service?
Anders
http://www.w3.org/2012/09/sysapps-wg-charter
http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww%2Ew3%2Eorg%2F2012%2F09%2Fsysapps-wg-charterurlhash=Tqzg_t=tracking_disc
Since the smart card industry have never managed making their stuff web
compatible before, I assume they will fail this time
signedContent;
}
}
throw new SignatureException (No CA key matching: +
cert.getIssuerX500Principal().getName());
}
2012-09-14 15:51, KidAlchemy wrote:
On Friday, August 17, 2012 5:44:40 AM UTC-4, Anders Rundgren wrote:
On 2012-08-15 21:35, KidAlchemy wrote
On 2012-08-22 00:38, Julien Pierre wrote:
Julien,
On 8/21/2012 00:45, Anders Rundgren wrote:
On 2012-08-21 05:42, Julien Pierre wrote:
Anders,
On 8/14/2012 20:40, Anders Rundgren wrote:
http://communities.intel.com/community/vproexpert/blog/2012/05/18/intel-ipt-with-embedded-pki
On 2012-08-15 21:35, KidAlchemy wrote:
On Thursday, August 9, 2012 10:26:12 AM UTC-4, KidAlchemy wrote:
I want to use the JSS library just to parse the CMS package into the
specific structures that are provided by JSS. I can get the signedData,
then I call signedData.getContentInfo(), which
support PIN-codes, client-key agility, issuer
conformation, etc.
Anders
-Original Message-
From: dev-tech-crypto-bounces+wprice=mitre@lists.mozilla.org
[mailto:dev-tech-crypto-bounces+wprice=mitre@lists.mozilla.org] On Behalf
Of Anders Rundgren
Sent: Tuesday, August 14, 2012 11
http://communities.intel.com/community/vproexpert/blog/2012/05/18/intel-ipt-with-embedded-pki-and-protected-transaction-display
Apparently your next PC already has it.
What's missing is a provisioning facility for unleashing the power of this
scheme so that it isn't limited to one OS, one CA
http://www.intel.com/content/www/us/en/architecture-and-technology/identity-protection/public-key-infrastructure.html
Like most HW-security solutions this appears to be more or less secret...
Anders
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
On 2012-08-02 22:16, David Woodhouse wrote:
On Wed, 2012-08-01 at 11:58 +0200, Anders Rundgren wrote:
http://www.finextra.com/news/announcement.aspx?pressreleaseid=45624
Current platforms are useless for banking so what else could they do?
The big problem with the VbV insanity wasn't
On 2012-08-02 13:22, Jean-Marc Desperrier wrote:
Anders Rundgren a écrit :
http://www.finextra.com/news/announcement.aspx?pressreleaseid=45624
Current platforms are useless for banking so what else could they do?
What role does the password serve here, except forcing me to create
http://www.finextra.com/news/announcement.aspx?pressreleaseid=45624
Current platforms are useless for banking so what else could they do?
Anders
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
I think you need to take a step back and consider which
market and user-base you are targeting. Linux on the
desktop? Why bother with that? Linux servers? Well,
*that* could be interesting. Unfortunately it doesn't
help much since most servers run JBoss etc so it is
actually more a JDK
at 10:53 +0200, Anders Rundgren wrote:
I think you need to take a step back and consider which
market and user-base you are targeting.
No, I believe that's been clear from the beginning. Apologies if I
didn't make it explicit enough.
Linux on the desktop? Why bother with that?
Linux
I won't bother you more on this topic but I honestly do not think
that there will be any progress worth mentioning (particularly on
the fragmented OSS side) until Intel comes out with a open version
of:
http://ipt.intel.com
I hope to make it easier for Intel by doing things in the opposite way,
wrote:
On Tue, 2012-07-24 at 16:12 +0200, Anders Rundgren wrote:
IMO, this is not an NSS issue, it is rather a *NIX issue. All other
operating systems (that I'm aware of NB...) including *NIX-derivates
like Android, already have a system-wide cryptographic architecture.
Yes. It's an issue
IMO, this is not an NSS issue, it is rather a *NIX issue. All other
operating systems (that I'm aware of NB...) including *NIX-derivates
like Android, already have a system-wide cryptographic architecture.
Most (if not all) of these builds on services rather than libraries.
Anders
On
to be severely lagging in this respect.
I don't think porting NSS to Android necessarily is a prerequisite
for porting Firefox to Android. IMO, it is rather a disadvantage
with multiple keystores and systems.
Anders
On 2012-07-06 12:54, Anders Rundgren wrote:
On 2012-07-06 10:29, ianG wrote:
On 6/07
On 2012-07-06 01:51, Robert Relyea wrote:
I've gotten NSS to build and mostly run the tests for Android. There are
still a number of tests failing, so the work isn't all done, but it was
a good point to snapshot what I had.
How does this compare/interact with Android's built-in key-store?
On 2012-07-06 10:29, ianG wrote:
On 6/07/12 16:14 PM, Anders Rundgren wrote:
On 2012-07-06 01:51, Robert Relyea wrote:
I've gotten NSS to build and mostly run the tests for Android.
Cool!
There are
still a number of tests failing, so the work isn't all done, but it was
a good point
On 2012-04-20 10:34, helpcrypto helpcrypto wrote:
After reading your three mails, i have only one thing to say: Clear as water.
Thank a lot for your patience and effort on explaining this for
short-minded like me.
Thanks a lot, REALLY, for your long, detailed and clear answer.
Of course,
On 2012-04-19 17:09, David Dahl wrote:
Hello All:
[I have cross posted this message to dev-platform and dev-tech-crypto,
perhaps we should discuss this on dev-platform as it has a larger subscriber
base?].
I am just putting together a draft feature page for an internal API needed by
the
On 2012-04-19 09:21, helpcrypto helpcrypto wrote:
(to me, that question makes no sense. users can't talk to smart cards.
Only smart card readers and programs can. So what smart card reader and
what program is doing this? A dumb smart card reader and a browser,
following Javascript
On 2012-04-19 16:41, helpcrypto helpcrypto wrote:
My solution to this is to treat all PKI-using applications as complete
applications running in trusted code. W3C tries to do something different,
we'll see how that pans out...
Ok Anders, but you are -again- talking much about your protocol,
Dear helpcrypto, now it became a little bit messy because I'm talking about
principles while you are talking about specific interfaces like NSS, and PKCS
#11.
During enrollment, i need to know card is present and the keypair is
generated inside. how can i achieve this without a pkcs#11
On 2012-04-18 11:04, helpcrypto helpcrypto wrote:
On Wed, Apr 18, 2012 at 10:03 AM, Anders Rundgren
anders.rundg...@telia.com wrote:
Dear helpcrypto, now it became a little bit messy because I'm talking about
principles while you are talking about specific interfaces like NSS, and
PKCS #11
On 2012-04-18 13:06, ianG wrote:
(lo-pri interest only requests)
Short return then :-)
On 18/04/12 20:00 PM, Anders Rundgren wrote:
On 2012-04-18 11:04, helpcrypto helpcrypto wrote:
Container attestations must be performed at the APDU-level since
E2ES cannot be abstracted.
I dont
On 2012-04-17 09:06, helpcrypto helpcrypto wrote:
I would not build a scheme based on NSS because NSS is not a prerequisite
unless you force people to use Firefox.
We arent forcing. We already support Microsoft, OSX and Google
browsers, and (trying) Firefox too.
Hooking Mozilla/NSS into
On 2012-04-17 11:14, helpcrypto helpcrypto wrote:
So, do you (we) ALL agree NSS should be modified to hook with system
keystores like Windows or OSX? (Linux has no default system keystore,
so there will be no changes by now)
Maybe wtc has something to say against this...
Are mozilla (we)
On 2012-04-17 14:14, helpcrypto helpcrypto wrote:
It was for example suggested that PKCS #11 should be exposed as a
JavaScript object. I think that is downright ridiculous idea,
almost as bad as: http://www.sconnect.com/FAQ/index.html
Let me expose two user-cases where i think that will be
On 2012-04-16 09:47, helpcrypto helpcrypto wrote:
If you'd like to help make Firefox better for enterprises, we'd be
delighted to have you submit patches instead of questioning our
commitment to our users.
I'll ask another way: Is there any argument against compiling NSS with
@loader_path
On 2012-04-11 07:42, Gen Kanai wrote:
On 4/9/12 6:05 PM, helpcrypto helpcrypto wrote:
The question can be changed to:
-Do mozilla want companies and bussiness to use Firefox? (rather than
chrome)
-Do mozilla think themes and make up are more important to bussines
than this kind of
On 2012-04-09 10:27, helpcrypto helpcrypto wrote:
So, IIUC, both of you consider using system/os/platform keystore
(directly [or hooked]) the best option?
IMHO it depends quite a bit on what your target audience is.
If you (for example) are working with server-applications you
are likely to
On 2012-04-09 11:21, helpcrypto helpcrypto wrote:
IMHO it depends quite a bit on what your target audience is.
Document signing on a web browser, its *always* done using a java applets.
Tax payment, traffic bills, more taxes...in hour case, official
documents signed by the ministry
On 2012-04-09 12:13, helpcrypto helpcrypto wrote:
http://www.w3.org/2011/11/webcryptography-charter.html
BSmith ans RRelyea directed me there also. All fishes go to sea... ;)
The really big fishes (Google, Apple, and Microsoft) haven't said a word
(in public) about their interest in this. I
On 2012-04-02 21:07, Robert Relyea wrote:
On 03/27/2012 01:00 AM, helpcrypto helpcrypto wrote:
Cough, cough...exit(CKR_OK) != return CKR_OK...cough, cough
Now cert8 is modified always (with or without our module).
Anyway, can someone tell me why cert8 is rewrited on each run/close?
Because
On 2012-04-04 13:04, helpcrypto helpcrypto wrote:
IIRC, NSS doesnt have an official mantainer on Mozilla bugs, isnt it?
If this happens, its probably the source of many problems here. I have
filed a few bugs and most of then arent even checked.
To be fair honest, im also guilty of that, but i
It is hard to see that GUI changes would have any function except for
the very few who understand the difference between roots and sub-CAs.
It is similar to the EV green bar. It doesn't make any difference for
normal people.
The recent screw-ups didn't invalidate the system; it rather made the
After looking into several similar solutions including Gnome Keyring
I wonder if it is not time for NSS transcending into a service rather
than a library running in application context.
Anyway, it seems pretty difficult adding a trusted GUI or application ACL
support to NSS without a major
On 2012-01-05 02:45, Robert Relyea wrote:
I am curious as to how smartcard management is supposed to work for Linux.
It seems to me that it would be ideal for Firefox to support the shared DB
on Linux. Are there OS-level tools for managing the shared DB.
For example, is there an OS-level UI
On 2012-01-03 23:44, Robert Relyea wrote:
On 12/30/2011 06:53 AM, Anders Rundgren wrote:
On 2011-12-29 23:08, Brian Smith wrote:
Matej Kurpel wrote:
On 22. 12. 2011 10:36, Imen Ibn Hotab wrote:
I`m developing pkcs#11 module for Firefox.
I was developing a PKCS#11 module as well.
Just out
On 2011-12-29 23:08, Brian Smith wrote:
Matej Kurpel wrote:
On 22. 12. 2011 10:36, Imen Ibn Hotab wrote:
I`m developing pkcs#11 module for Firefox.
I was developing a PKCS#11 module as well.
Just out of curiosity, what do your PKCS#11 modules do?
Would it make things easier for either
Naturally a system like described below must support an*/issuer-defined/* ACLs
on enrolled keys...
/a
Original Message
Subject:gnome-keyring Question about ACL per storage item
Date: Thu, 20 Oct 2011 10:17:00 +0300
From: Elena Reshetova elena.reshet...@gmail.com
To:
Recently there has been some discussions in the IETF PKIX list regarding future
enrollment systems including those in browsers.
I remain confident that it is infeasible extending such a scheme to include
smart cards since Certificate Enrollment and Token Provisioning are very
different, even
Today's harvest :-)
HTTPS client-certificate-authentication in browsers
===
I don't believe that TLS CCA (Client Certificate Authentication) in the
form of HTTPS as implemented in current browsers has much of a future.
In fact, quite a bunch of the
On 2011-06-21 11:18, Konstantin Andreev wrote:
[combining two cites to save space]
On 21.06.11 00:48, Anders Rundgren wrote:
We have both come to the conclusion that Firefox et al sucks since just
about all serious users need to deploy plugins in order to use their PKIs.
On 18.06.11 19
On 2011-06-20 09:29, Jean-Marc Desperrier wrote:
Anders Rundgren wrote:
The webcrypto-api proposal is oriented around certificate/X509/smartcard
PKI, I end up with the feeling the two proposal lives in different realms.
http://html5.creation.net/webcrypto-api
Thanx J-M, I wasn't aware
Some three years ago I published a proposal on how browsers could be
extended with potentially more powerful, XML-centric variants of
keygen, signText(), CertEnroll, etc,.
Given the recent work on JSON-based security-protocols in the IETF, as well as
some old-timers clinging on to ASN.1, I have
On 2011-06-17 15:31, Jean-Marc Desperrier wrote:
David Dahl wrote:
I find this API effort very interesting, however I'm left with the
feeling you wish to leave out the use of PKI elements.
A really neutral API would work both with and without PKI.
Public Key crypto is actually the main use
On 2011-06-14 16:48, Jean-Marc Desperrier wrote:
David Dahl wrote:
From: L. David Barondba...@dbaron.org
On Monday 2011-06-13 15:31 -0700, David Dahl wrote:
In trying to get the word out about a browser crypto API I am
championing (see:
On 2011-05-12 19:52, Honza Bambas wrote:
On 5/9/2011 10:52 PM, Michael Helm wrote:
This flavor of firefox 4
Useragent string: Mozilla/5.0 (Android; Linux armv7l; rv:2.1.1) Gecko/
Firefox/4.0.2pre Fennec/4.0.1
(which can be installed on Android phones tablets)
seems to lack a functioning
Dear NSSers,
It seems that enrollment of credentials has finally gotten the attention it
deserves:
http://www.ietf.org/mail-archive/web/pkix/current/msg29024.html
Anders
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
On 2011-03-13 16:36, Honza Bambas wrote:
On 3/5/2011 9:22 PM, Nelson B Bolyard wrote:
There's an unfinished set of code in Mozilla's CVS repository that
implements a PKCS#11 module on top of MS CAPI, enabling access to certs
and keys in Windows' cert and key stores. Read about it in
physical access to the device.
Pardon for being a PITA but mobile phones should IMO not inherit all the legacy
c**p we have in desktop systems.
Anders Rundgren
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
On 2011-03-10 09:32, Daniel Stenberg wrote:
On Wed, 9 Mar 2011, Anders Rundgren wrote:
It is too late introducing TLS-SRP, the market will not use it.
Uh? There's not just one single market that will or won't use a particular
protocol feature. There are plenty of different areas where TLS
It is too late introducing TLS-SRP, the market will not use it.
Why not make NSS more useful for certificates instead?
Anders
On 2011-03-09 09:45, Jean-Marc Desperrier wrote:
Brian Smith wrote:
An augmented PAKE user authentication protocol might be very useful
for some things, but TLS-SRP
Aug 30, 2007 (!!!) Nelson Bolyard wrote:
/NSS, the crypto software used in mozilla browsers and email clients, was one
of the first adopters of PKCS#11, the interface standard for crypto devices
like smart cards and USB crypto fobs. Network
client products that use NSS have been able to work
aerow...@gmail.com wrote:
On Tue, Feb 1, 2011 at 1:19 PM, Marsh Ray ma...@extendedsubset.com wrote:
On 02/01/2011 02:41 PM, Anders Rundgren wrote:
What about the client cert in a smart card?
That's old and standard and supported by Mozilla.
I don't know what kind of prices you'd have to pay
Robert Relyea wrote:
snip
Token provisioning is outside the PKCS #11 module. It uses global
platform secure channels to communicate to the card. The APDU's are
specific for the cards applet.
Yes, and this is why Firefox and other browsers are slightly incompatible
with the web from a
Matej Kurpel wrote:
On 4. 1. 2011 22:23, Robert Relyea wrote:
On 01/03/2011 01:04 PM, Anders Rundgren wrote:
Hi,
I'm in the starting phase upgrading Firefox so that it can provision
credentials in a way that that banks and governments require which
among many things include E2ES (End-to-End
Hi,
I'm in the starting phase upgrading Firefox so that it can provision
credentials in a way that that banks and governments require which
among many things include E2ES (End-to-End Security) and issuer-
specified PIN-codes (or just policies for user-defined dittos).
The plan is mainly
http://www.gsmworld.com/newsroom/press-releases/2010/5726.htm
As I said a million times before, on-line provisioning of HW tokens
is the future.
My take on this subject is (still...) defining a standard container based
on Open Hardware because E2ES (End to End Security) cannot be
abstracted
David Stutzman wrote:
I'm assuming not based on my experience, but does NSS support point
compression on EC keys?
Dave
Isn't that a thing that Certicom have patented?
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
May I comment a bit on this?
msm Li wrote:
Currently, the smartphone platform is lack of unified
software/hardware security module.
For example, iPhone stores certificates in the Keychain, BlackBerry
stores certificates
in BlackBerry device key store, Android has no such secure storage.
True.
I have one question: Why would you want NSS in Android?
The reason I wonder is because apps in Android are
mainly written in (sort-of) java and both bouncycastle
and openssl are already on-board.
If you really want to make a change that would be adding
a useful way to get keys on mobile devices
The following is mainly directed to people working with mobile
devices although the issue of course also applies to PCs.
Recently I had an interesting conversation with a security technologist of
a major payment provider who had seen links to my SKS/KeyGen2 stuff [0].
He was quite concerned
this is primarily a European/Asian issue and we cannot expect to
get any support from Mozilla except maybe a Good luck or so :-)
Regards
Anders Rundgren
And they
want to put their CA Root certificate into Firefox, so that there will
be no alert popup in the certificate generate
-a843-462f-abb5-ff88ea5896f6displaylang=en
But I can't imagine end-users dealing with such a horrible tool.
This is for *cryptopgraphers* only.
Making a Chinese Firefox distribution should be a more workable solution.
Anders
On Wed, Jul 21, 2010 at 11:32 PM, Anders Rundgren anders.rundg
Amax Guan wrote:
Hi,
I'm working on a Certificate renew process for a bank in china.
The bank stored the certificate in a USB key, and when the user needs
to renew the certificate, the bank will trigger the cert issue process
to do that, using keygen. But when the issue begins, because the
PM, Anders Rundgren
anders.rundg...@telia.com wrote:
Amax Guan wrote:
Hi,
I'm working on a Certificate renew process for a bank in china.
The bank stored the certificate in a USB key, and when the user needs
to renew the certificate, the bank will trigger the cert issue process
to do that, using
Nelson B Bolyard wrote:
snip
keygen since a CA has no options for key protection during issuance
using Firefox which it has using MSIE.
Yes, I quite agree with you on this point, Anders. The problem is that the
CA cannot express to Firefox that it wants Firefox to require that the
generated
Hi Mountie,
A service provider cannot specify *anything* regarding key protection
using Firefox.
Anders
Mountie Lee wrote:
Thanks Eddy.
in IE
the service provider can choose the private key can be exportable or not.
the manual configuration is not so attractive for service provider.
is it
Nelson B Bolyard wrote:
snip
Hi Mountie,
A service provider cannot specify *anything* regarding key protection
using Firefox.
Anders, I think Mountie was referring to Crypto Service Provider (CSP),
which is Microsoft's name for software modules that follow Microsoft's
alternative that is
- Original Message -
From: Nelson B Bolyard nel...@bolyard.me
snip
I think he's referring to the fact that the PKCS#11 module must be manually
configured to be in FIPS mode or not in FIPS mode.
I'm not aware of any automatic protection settings for manual key import in
Windows, unless
Mountie Lee wrote:
I mean CKA_EXTRACTABLE.
as a Sub-CA, when they issue client certificate, they want to make sure
the private key will be exported outside of browser keystore.
the only one exception is when the private key is in hardware token, it
can be moved to other browser.
I didn't get
Anders,
Thanks for your mail. Is there any proprietary solution that's
named Message Pro or so??
On Apr 6, 5:26 pm, Anders Rundgren anders.rundg...@telia.com wrote:
Hi,
Since there are no standards in this space most banks and e-governments
use proprietary (but cross-browser) Java plugins
Hi,
Since there are no standards in this space most banks and e-governments
use proprietary (but cross-browser) Java plugins. In the EU there are at
least 10 different national schemes.
Chrome and Safari presumably do not support any pre-configured solution
since no such solution has gotten
Wan-Teh Chang wrote:
Does anyone know why HTML5 specifies keygen must use the
md5WithRSAEncryption signature algorithm? Was the use of MD5
discussed when keygen was standardized in HTML5?
Eddy, does your CA accept a SignedPublicKeyAndChallenge (SPKAC)
structure signed using
1 - 100 of 282 matches
Mail list logo