Anders Rundgren wrote:
IM[NS]HO, S/MIME encryption using PKI is one of the biggest security
farces ever.
I don't see why.
Regarding the guide, I believe that e-mail encryption would be fairly common
if it had been (generally) based on using a shared secret, because passwords
are easier to
Hi,
I'm trying to use Firefox with an sqlite based NSS. So far all the
certificate stuff still works as expected as far as I can see but the
password manager component is broken now:
The exposed error is this:
Login Manager: Initialization of storage component failed: [Exception...
Component
Of course S/MIME encryption works for PKI experts.
But how do I send an encrypted message to the IRS?
(S/MIME have been largely funded by the US government).
Of course distributing shared secrets is awkward but it is done all the time
over the entire globe and in massive way, any idiot can do
Eddy Nigg wrote:
I believe that the policy (and/or other relevant policy guiding
statements) should be clear in respect what Mozilla requires from the
CAs.
It's a nice ideal, but I wonder myself whether it can be achieved. This
is one of the reasons why we have ended up with the
Anders Rundgren wrote:
Of course S/MIME encryption works for PKI experts.
It can also work for normal users. The problem is that both ends of the
communication channel have to be willing to do the preparation work needed.
But how do I send an encrypted message to the IRS?
(S/MIME have been
Eddy Nigg wrote:
On 11/15/2008 06:29 PM, Ian G:
I agree it is an issue that we should try and
clarify, if not nail down.
Sounds good!
One way to short-circuit this is to simply state that the root CA is
responsible for any/all subroots.
This is the situation we had until recently, with
Michael Ströder wrote:
It can also work for normal users. The problem is that both ends of
the communication channel have to be willing to do the preparation
work needed.
Michael Ströder [EMAIL PROTECTED] wrote:
The biggest obstacle preventing people to use S/MIME (or even PGP) is
that they
Kalukuri [EMAIL PROTECTED] wrote, On 2008-11-17 05:08 PST:
I am having 2 different keystores. One is having a cert for one
particular client which the other is not having.
My plan is to export the car from the first available one and import
the same into the other which is not having that.
Anders Rundgren wrote:
IM[NS]HO, S/MIME encryption using PKI is one of the biggest security
farces ever. Even the use-case is often wrong.
Please start your debate in another thread. S/MIME and PKI are a
supported part on the NSS feature set, and supported in pretty much
every email
Ian G wrote:
IMHO, the policy has served remarkably well, and of
course issues will arise with more experience.
I wouldn't go so far as to say the policy has served remarkably well.
However I think it has served as a useful document in terms of providing
a context for our discussions, has
Robert,
Pardon me. I did indeed not intended to slam Paul's guide.
I changed the thread but I don't expect a fruitful debate since the difficulties
are mostly unrelated to NSS. I feel sorry for those who feel that S/MIME
encryption needs to become mainstream because that will never happen
Wolfgang Rosenauer wrote, On 2008-11-18 05:38:
Hi,
I'm trying to use Firefox with an sqlite based NSS. So far all the
certificate stuff still works as expected as far as I can see but the
password manager component is broken now:
The exposed error is this:
Login Manager: Initialization
Eddy Nigg wrote:
On 11/15/2008 06:29 PM, Ian G:
smip
Either way we look at it, I feel that the more controls are put in
place, the more we end up putting in paper fixes and the more we
complicate things for a gain that we don't fully understand.
I don't perceive it as such at all. What do we
Ian G wrote:
Eddy Nigg wrote:
snip
Right. It was suggested to require a yearly audit or by other frequency.
Related to this point: I don't know if anyone's noticed this, but
WebTrust seems to be getting clogged in terms of getting new audit
reports out and published. I periodically do a
Anders Rundgren wrote:
Secure e-mail should have been put at the server-level, then we would have
had some base-level security that would cover 99% of all uses. But it
didn't and therefore 80% of all messages are not even coming from the
domain they claim. How very useful.
There is no such
Nelson B Bolyard schrieb:
Wolfgang Rosenauer wrote, On 2008-11-18 05:38:
Hi,
I'm trying to use Firefox with an sqlite based NSS. So far all the
certificate stuff still works as expected as far as I can see but the
password manager component is broken now:
The exposed error is this:
Login
On 11/18/2008 05:14 PM, Ian G:
Eddy Nigg wrote:
I believe that the policy (and/or other relevant policy guiding
statements) should be clear in respect what Mozilla requires from the
CAs.
It's a nice ideal, but I wonder myself whether it can be achieved. This
is one of the reasons why we have
On 11/18/2008 08:40 PM, Frank Hecker:
This is by way of saying that even if we required annual audit reports,
it's not clear to me that CAs could produce them.
Microsoft made it a requirement and you might ask them how it goes. But
there are many CAs supported by MS, apparently they are
Graham Leggett wrote:
Anders Rundgren wrote:
Secure e-mail should have been put at the server-level, then we would have
had some base-level security that would cover 99% of all uses. But it
didn't and therefore 80% of all messages are not even coming from the
domain they claim. How very
Paul Kinzelman wrote:
Feel free to pass the link around and to comment and suggest
enhancements.
One thing that I frequently suggest is that S/MIME is only a workable
system in general when verification (signing) is turned on always.
This is because there are architectural flaws in the
Wolfgang Rosenauer wrote:
Nelson B Bolyard schrieb:
Wolfgang Rosenauer wrote, On 2008-11-18 05:38:
Hi,
I'm trying to use Firefox with an sqlite based NSS. So far all the
certificate stuff still works as expected as far as I can see but the
password manager component is broken now:
Robert Relyea schrieb:
Hmm, now that you say that...
It's not much about what I intend to do since I'm just trying to use
Firefox ;-)
But yeah, it might go wrong before that trace already?
http://mxr.mozilla.org/mozilla/source/toolkit/components/passwordmgr/src/storage-Legacy.js#176
176
Anders,
Anders Rundgren wrote:
IM[NS]HO, S/MIME encryption using PKI is one of the biggest security
farces ever. Even the use-case is often wrong. Somebody representing
e-Health
once described for a big audience how S/MIME encryption could be used
to exchange private medical information
Anders Rundgren wrote:
Robert,
Pardon me. I did indeed not intended to slam Paul's guide.
I changed the thread but I don't expect a fruitful debate since the difficulties
are mostly unrelated to NSS. I feel sorry for those who feel that S/MIME
encryption needs to become mainstream because
Michael,
Michael Ströder wrote:
Anders Rundgren wrote:
IM[NS]HO, S/MIME encryption using PKI is one of the biggest security
farces ever.
I don't see why.
Regarding the guide, I believe that e-mail encryption would be fairly
common
if it had been (generally) based on using a shared secret,
Anders Rundgren wrote:
There is no such thing as secure email at the server level.
For an *organization* this is statement is principally wrong. For an
organization the server is the only place where you actually can perform
security operations including content checking in a cost-efficient
Wolfgang Rosenauer wrote:
Robert Relyea schrieb:
This was a new profile actually. And yes, the database which reveals
this issue isn't complete it seems. I removed it and created a new empty
one using certutil -d sql:. -N and now Firefox works correctly.
What I've used to create the shared
On Nov 18, 2:54 am, Eddy Nigg [EMAIL PROTECTED] wrote:
On 11/14/2008 11:12 PM, Frank Hecker:
...in the short term I'm going to try to restart CA public
In this particular case I think that the practice in question doesn't
meet the requirements of the Mozilla CA policy. This includes in
'content checking' is to verify that no secrets are included in
anything sent somewhere unapproved. For example, banks and other
fiduciaries need to ensure that private financial data isn't released,
educational institutions need to ensure that educational data isn't
released, and so on.
It is
Robert Relyea wrote:
Typically
needsUserInit means there isn't a password record in your key database.
Without this you can not store any keys. The difference between 'not
initialized', 'doesn't have a master password', and 'has master a
password' is as follows:
1) 'not initialized' ---
Eddy Nigg wrote:
On 11/15/2008 05:18 PM, Ian G:
Eddy Nigg wrote:
On 11/12/2008 05:21 PM, Ian G:
Not sure why, but your posting arrived just only now...
I was offline / travelling. There is this little lightbulb on the
bottom left side of Thunderbird that we can click, and then the
Kyle Hamilton wrote:
'content checking' is to verify that no secrets are included in
anything sent somewhere unapproved. For example, banks and other
fiduciaries need to ensure that private financial data isn't released,
educational institutions need to ensure that educational data isn't
Wolfgang Rosenauer wrote:
This was a new profile actually. And yes, the database which reveals
this issue isn't complete it seems. I removed it and created a new empty
one using certutil -d sql:. -N and now Firefox works correctly.
It is possible that code that uses NSS in ways not tested by
On 11/19/2008 01:59 AM, kgb:
Hi Kevin,
WISeKey has made some changes to its practices, since the last public
discussion period.
I'm glad to hear that! Can you point to what specifically has been
changed since then?
BlackBox Subordinate CAs are restricted to issue
certificates for domains
Anders Rundgren wrote:
IM[NS]HO, S/MIME encryption using PKI is one of the biggest security farces
ever. Even the use-case is often wrong. Somebody representing e-Health
once described for a big audience how S/MIME encryption could be used to
exchange private medical information between a
Frank Hecker wrote:
Ian G wrote:
One way to short-circuit this is to simply state that the root CA is
responsible for any/all subroots. So this would imply that the root
CA's policies and audit drill down through the subroots, and they
apply. Then, it would be up to the root auditor to
Frank:
The Wisekey case could be where we might draw the line. Provided that
- there is a *good compelling reason* for using sub-ordinate
certificates in first place, limited to the domains under the control of
the owner (via name-constraints) and with reasonable controls in place
(like
Nelson Bolyard wrote:
Robert Relyea wrote:
Typically
needsUserInit means there isn't a password record in your key database.
Without this you can not store any keys. The difference between 'not
initialized', 'doesn't have a master password', and 'has master a
password' is as follows:
1)
The SECMOD_LoadUserModule and SECMOD_UnloadUserModule functions
were added in https://bugzilla.mozilla.org/show_bug.cgi?id=132461, but no
NSS utilities or test programs use these functions, so the only sample code
for these functions that I can find is PSM.
PSM uses these functions as follows:
39 matches
Mail list logo