On 8/16/09 1:55 AM, Marc Kaeser wrote:
I need to understand how the DB3 database is protected by the Master
Password. I read the code in mozStorage and saw that the
function/methode encryptString() from nsSDR.cpp is called for encryption
of Login Credentials, which are stored in that sqlite DB.
On 1/4/09 12:32 PM, Paul Hoffman wrote:
I propose that Mozilla form a new mailing list, dev-policy-trustanchors.
Yes. I'd also very much like to see this split. I'm interested in the
technical side of things, but not so much the policy stuff (and,
frankly, the incessant bickering and
On 1/1/09 6:44 PM, Kyle Hamilton wrote:
If he's a security and user interface expert, why is the security UI
so appallingly *bad*?
*plonk*
Justin
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
On 12/23/08 11:27 AM, Kyle Hamilton wrote:
I'd rather deal with disruption caused thereby (and, yes, the user
complaints generated thereby -- at least then the end-user would KNOW
that there's a problem that's being dealt with rather than having a
FALSE SENSE OF SECURITY)
Hmm, would they?
On 12/23/08 12:12 PM, Justin Dolske wrote:
On 12/23/08 11:27 AM, Kyle Hamilton wrote:
I'd rather deal with disruption caused thereby (and, yes, the user
complaints generated thereby -- at least then the end-user would KNOW
that there's a problem that's being dealt with rather than having
On 12/23/08 12:20 PM, Justin Dolske wrote:
That said, the Comodo/Certstar is hugely sucky and I would hope there's
something we can do about it that helps users.
I am just full of fail today: ... the Comodo/Comstar *incident* is
hugely sucky ...
Justin
Frank Hecker wrote:
Kathleen Wilson and I have been discussing how to re-start the
evaluation process for T-Systems. If you recall, that request (bug
378882) got bogged down in a discussion of how to deal with situations
where the root CA doesn't actually issue end entity certificates and the
Graham Leggett wrote:
...
Quick note: you might look at some of the Weave code, which is using PKCS#5.
http://hg.mozilla.org/labs/weave/file/53e25c0c7e2e/src/WeaveCrypto.cpp#l462
Justin
___
dev-tech-crypto mailing list
Kai Engert wrote:
However, you might want to ping the Mozilla labs people who work on the
Weave project, I think they have faced similar challenges. Maybe you can
look at their code to get ideas.
That would be: http://hg.mozilla.org/labs/weave/file/53e25c0c7e2e/src/
It's not a
rainer_k wrote:
If this is such a serious concern, why did Microsoft decicde to put
this CA inside the Windows
CA store and even distribute this via automatic update?
I don't think but Microsoft did it is, in general, a convincing
argument when it comes to good security practice.
The
Kai Engert wrote:
Ubuntu has apparently chosen to use non-standard library names,
therefore you can't use your binary produced on Ubuntu on a system that
uses standard library names.
Similar problems have bitten Labs' Weave extension. See bugs 442679,
442788, 442257.
Justin
Paul Hoffman wrote:
Thus, if we have any
1024-bit keys in the root pile (and we might still have ones
shorter...), requiring all new CA keys to be 2048 bits (for example) has
no effect on Mallory: he still attacks one of the current roots and gets
the exact same effect.
So? While it might
Paul Hoffman wrote:
Unless Mozilla says we are going to yank that particular Verisign
certificate, and all the ones with similar key lengths, decades before
they expire, there is absolutely no reason for us to, 20 years in
advance, start requiring new CAs to use stronger keys. It is just not
Nelson Bolyard wrote:
With entropy seeding, the more the merrier.
You can't really have too much.
On the other hand, why make apps and users jump through hoops to add
more if it isn't needed? It seems rather dysfunctional to have a
cryptographic RNG that's just going to pass the buck to the
David E. Ross wrote:
For example, a hash mismatch would cause the downloaded file to be
deleted. Also a misformed hash would block downloading. Both of these
create denial-of-service opportunities; all a hacker has to do is alter
the hash in the anchor (link) that would be used to initiate
Arrakis wrote:
I am trying to generate pre-configured credentials for Thunderbird, that
have been Master Password encoded.
If you want to add stored password entries, you should be using the
interfaces provided by Wallet (or Password Mananger / Login Mananger,
for other products). Take a
Peter Djalaliev wrote:
Has Secure FTP been standardized? I can't seem to find any sort of an
RFC or another standard to do with Secure FTP.
I believe was standardized under the umbrella of the IETF's SecSH WG...
A (recently) expired draft is at the below URL, but I don't know the
current
17 matches
Mail list logo
