write any more on this right now, but I hope the above addresses
at least some of the questions you had.
Frank
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
www.comodo.com
Comodo CA Limited
be performed prior to any other step.
I haven't invested a lot of time into this request initially (as I
haven't for other upgrade requests for EV during the comments period),
but raised enough questions which might justify such a review.
--
Rob Stradling
Senior Research Development Scientist
, provided if and when we have that capability in
NSS. Perhaps we want to open a catch-all bug for such roots which are
added under this condition.
* Confirmed by Rob Stradling from Comodo.
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0
@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
www.comodo.com
Comodo CA Limited, Registered in England No. 04058690
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
Rob Stradling
Senior Research
.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
On Thursday 05 June 2008 12:05:42 Eddy Nigg (StartCom Ltd.) wrote:
Rob Stradling:
Rob, in the past, any time that we have suggested that a CA issue a new
root CA cert for any reason, even if only to change something minor,
we've received much feedback saying that doing so represents a huge
On Thursday 05 June 2008 12:59:13 Eddy Nigg (StartCom Ltd.) wrote:
Rob Stradling:
Additionally, most of the times the old and the new root will be both
present in NSS for some time in order to allow a smooth transition,
until the old root is being removed.
Eddy, I think you've missed
(not that I'm advocating that,
of course!)
Gerv
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
discussion periods simultaneously?
Having watched this list for a number of months, I think I'm right in saying
that you're only allowing one at a time...in which case, how is having more
people now working on CA-related tasks actually improving your overall
throughput?
--
Rob Stradling
Senior
On Thursday 17 July 2008 13:33:04 Frank Hecker wrote:
Rob Stradling wrote:
Frank, is there any reason why you can't have multiple candidate CAs
having their public discussion periods simultaneously?
No reason at all;
Thanks Frank. That's good to hear.
in fact, technically we have two
On Thursday 17 July 2008 16:50:50 Frank Hecker wrote:
Rob Stradling wrote:
Frank, in Bug #421946 Comment #15 you said:
I'll proceed with the first public comment period once I figure out
where this request sits in the queue relative to other similar requests.
If the public comment
.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
www.comodo.com
Comodo CA
On Saturday 19 July 2008 19:30:51 Paul Hoffman wrote:
At 11:04 AM +0100 7/19/08, Rob Stradling wrote:
I think that the ECDSA signature algorithms will only be supported in
OpenSSL 0.9.9 (not yet released) and above.
Try a recent openssl-SNAP-2008mmdd.tar.gz from
ftp://ftp.openssl.org
regarding this request.
Frank
[1] Fun fact: Within Hungary names are normally given in Eastern order
(i.e., like China or Japan) with surname first. In this case I've
transposed to Western order (I think).
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
service URI. Over to Frank.
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
www.comodo.com
Comodo CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village
the revocation status
of a trust anchor via CRL or OCSP.
Regards,
István
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
Rob Stradling
Senior Research Development Scientist
Comodo
any further questions.
Regards,
/Nelson
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
beforehand)?
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
www.comodo.com
Comodo CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay
which we can
start a new public discussion period.
Frank
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
www.comodo.com
Comodo CA Limited, Registered in England No. 04058690
Registered Office
validation initiative mentioned by that Reg article.
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
www.comodo.com
Comodo CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26
://lists.mozilla.org/listinfo/dev-tech-crypto
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
www.comodo.com
Comodo CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26
/listinfo/dev-tech-crypto
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
www.comodo.com
Comodo CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village
pretty moot.
--Paul Hoffman
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
Office Tel
a revoked one. There
are indeed situations which require to access a site with an expired cert.
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
www.comodo.com
Comodo CA Limited, Registered in England
On Monday 12 January 2009 11:00:59 Eddy Nigg wrote:
On 01/12/2009 12:45 PM, Rob Stradling:
and required by EV ?
Eddy, the EV Guidelines impose certain requirements on Intermediate CAs
*when* they are used, but AFAIK they don't mandate that Intermediate CAs
MUST be used.
Visit https
practices. This document is presented to every CA for a
while already, so the CAs know about it, even if it's not part of the
policy itself.
Perhaps a better mechanism regulating these aspects might be useful too.
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
On Monday 12 January 2009 12:10:17 Eddy Nigg wrote:
On 01/12/2009 01:20 PM, Rob Stradling:
The Entrust.net Secure Server Certification Authority is used for
legacy ubiquity only. Entrust and SecureTrust (aka Trustwave) have
different EV Certificate Policy OIDs. https://www.securetrust.com
on that page as grounds
for pulling a previously approved Root Certificate from the trust pile?
On Monday 12 January 2009 11:26:03 Eddy Nigg wrote:
On 01/12/2009 01:08 PM, Rob Stradling:
Eddy, I apologize if I'm misinterpreting your response to Paul's last
comment, but I think you
*because* of Verisign, but *even* Verisign does it ;-)
OK.
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
www.comodo.com
Comodo CA Limited, Registered in England No. 04058690
Registered Office
requirements could require operational
changes in some/all roots, or risk de-acceptance. If a CA's
operations are not secure (due to input, processing, or output), how
can anyone put any trust in them?
-Kyle H
On Mon, Jan 12, 2009 at 5:07 AM, Rob Stradling rob.stradl...@comodo.com
wrote:
Eddy
.
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
www.comodo.com
Comodo CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford
Bucksch wrote:
On 13.01.2009 09:48, Rob Stradling wrote:
I made a similar suggestion to ietf.pkix in October 2006. See...
http://www.imc.org/ietf-pkix/mail-archive/msg01964.html
...and the rest of that thread, including...
http://www.imc.org/ietf-pkix/mail-archive/msg01984.html
...
Ben
be
updated to require CAs to implement it?
On Tuesday 13 January 2009 14:50:32 Paul Hoffman wrote:
At 9:55 AM + 1/13/09, Rob Stradling wrote:
Thanks Ben. Perhaps it's time to have another go at canvassing support
for the idea. In 2006, the PKIX WG didn't seem interested in tackling
On Tuesday 13 January 2009 15:47:22 Paul Hoffman wrote:
At 3:31 PM + 1/13/09, Rob Stradling wrote:
Why almost every piece of PKIX validating software ?
I think it would be worth it if, at a minimum...
- the majority of CAs added the extension to the certificates they
issue
.
On Monday 19 January 2009 22:07:46 Nelson B Bolyard wrote:
Rob Stradling wrote, On 2009-01-14 03:24 PST:
To the NSS developers: If there existed a standardized certificate
extension in which a CA could put additional signatures using different
algorithms, do you think you'd consider adding
., receive a
full cert chain that includes the old root?)
Is the above a correct reading of your comments?
Frank
--
Frank Hecker
hec...@mozillafoundation.org
--
Rob Stradling
Senior Research Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0
appreciate all the hard
work you do.
Dave
PS Nelson, I've been trying to email you directly and haven't been
getting any responses.
Rob Stradling
Senior Research Development Scientist
C·O·M·O·D·O - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
On Tuesday 03 November 2009 14:29:43 Rob Stradling wrote:
On Tuesday 03 November 2009 13:42:14 David Stutzman wrote:
snip
Hi David.
Gentoo's NSS package supports ECC because I asked them to enable it:
http://bugs.gentoo.org/247221
I don't think it was ever a deliberate decision
Stutzman wrote:
Rob Stradling wrote:
A question for the NSS devs:
Is there any reason why NSS couldn't be changed to assume
NSS_ENABLE_ECC=1 by default?
Yes...
http://fedoraproject.org/wiki/User:Peter/Disabled_applications
Disabled features:
Elliptic Curve crypto algorithm
supported by NSS, but having said that I
wouldn't be surprised if Nelson replies to this message with words to the
effect of that extension is deprecated, so please don't use it any more!
Rob Stradling
Senior Research Development Scientist
C·O·M·O·D·O - Creating Trust Online
Office Tel: +44.(0
but they are still useful
(e.g. the CA may subsequently detect that the key or hash algorithm used in
the certificate is weak).
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
are not widespread today, but this would
change if/when ECC certs start to be used more widely.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
codes?
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay
On 09/02/12 13:10, Gervase Markham wrote:
On 09/02/12 12:54, Rob Stradling wrote:
We've calculated that there are currently ~53,000 revoked Server
Authentication certs that were issued by Comodo's CA systems, each with
a serial number of 16 bytes (+ a leading zero byte if required to ensure
Mozilla and the NSS team to accept my patch and ship it in
Firefox 14 or sooner.
Thanks.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
-in. This
didn't work either, presumably because the UTN root-certificate was for
some reason still listed as a Software Security Device.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https
!
On 11/06/12 15:25, Rob Stradling wrote:
On 09/06/12 06:03, Wan-Teh Chang wrote:
Rob,
Please fix the bug in the old certificate verification library. Thanks.
Are you going to use the approach outlined by Nelson in bug 479508 and
bug 482153?
Wan-Teh
Hi Wan-Teh.
I'm afraid I have nowhere near
]
https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt
[2]
https://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsIdentityChecking.cpp
snip
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
--
dev
, but you don't
need committer privileges in order to create a bug on Bugzilla, attach a
patch, etc).
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech
/PSM)
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA
?
If a webserver wants to prefer ECDSA over RSA, then it can override the
browser-supplied cipher-suite order.
e.g. http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslhonorcipherorder
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0
.
Kurt
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford
about http://en.wikipedia.org/wiki/Dual_EC_DRBG#Controversy ?
No, he actually said he doesn't trust any ECC, but on the other
hand said that we should probably move to at least 500 bit ECC.
Kurt
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Office Tel: +44
those cipher suites, and process the remaining
ones as usual.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
://www.sonderbewilligungen.admin.ch.
Kaspar
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
omission means that this CA certificate is
unfortunately _not_ considered technically constrained according to the
Mozilla CA Certificate Inclusion Policy.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto
CERTIFICATE-
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay
-0.aspx
[2] http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
] https://www.imperialviolet.org/2012/02/05/crlsets.html
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
exclusively, so as of a few
weeks ago there are now _a lot_ of ECDSA certs in the wild.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
that say
my cert isn't working in Firefox - why?
Thanks to Andrew of SSLMate for putting the site together.
Gerv
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo
lic/www-tag/2015Sep/thread.html
> [3] https://code.google.com/p/chromium/issues/detail?id=514767
> [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1024871
>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Offi
64 matches
Mail list logo