Steve,
Dr S N Henson wrote:
Frederick Roeber wrote:
I'm of the opinion that encryption and signing should be turned on
by default
Turning on signing by default might be dangerous, not everybody is
comfortable with a Legally Binding Signature on every random note they
send. (Plausible
Alex,
[EMAIL PROTECTED] wrote:
First time browsing this list so apologies if this has already been noted.
Using nss-3.3 precompiled Linux binaries cmsutil did not produce
verifiable signitures when the entity was piped in via STDIN. However,
when using the -i switch the signiture
hooway wrote:
We are making a PKCS11 token dll for CMS server. But we met some problems.
and cause windows shut down. We want to debug our dll to find the reason.
But how to do it under CMS server. It's always working as a NT Service. Is
there any method to force it working not in Service
Robert,
Robert Wagner wrote:
I have a working client/server application that is using NSS
3_3_1_RTM.
One check my application does is verify if the password supplied is
correct. After I initialize and configure all of NSS, my application
calls PK11_CheckUserPassword.
When you call
Bonny,
bonny joy wrote:
hi all
I am working on mozilla's nss code. I have some trouble on using
crlutil.eventhough i am using a crlv2 it is giving an error message
invalid format .Is this the error with the crlutil or the decoding code
in the implementation.
A few things to
Patrick,
Patrick wrote:
Hello,
What command to execute to clean up *all* of an NSS build?
I built NSS on one platform (HPUX11) and now want to use the same dir
structure (/mozilla) to build NSS on another platform (SunOS5.8)
However it seems the 2nd build did not create the expected
Amlan Haldar wrote:
Has anyone built NSS on SunOS 5.8 with Forte C++ with update 2 ? I am having
problems.
Amlan.
I build it regularly on SunOS 5.8 with Force C++ update 1 . Did you ever
build with update 1 successfully in the past ? It would help if you
would specify what problems you
Hi,
bonny joy wrote:
hello
I have a question on NSS building on WIN2k
can i buils NSS 3.2.1 on win2k
i tried but the following error is coming
Microsoft (R) Segmented Executable Linker Version 5.60.339 Dec 5
Christian,
Christian Schulte wrote:
Robert Relyea wrote:
My guess is the certificate in question is a secondary CA signed by a
primary. The problem is that gtoc.iss.net is probably misconfigured. It
should send the secondary certificate with it's server certificate.
Their
Zeke,
Zeke wrote:
Hi.
I have a one simple (?) problem. ;)
When I try to export certificate to my smart card, like: pk12util.exe -d
.\ -i good.p12 -h GemSAFE Smart Card
I see error message:
How many certificates and keys does your P12 file contain ? And of what
type (signing, encrypting,
Stuart,
Stuart Davidson wrote:
I maybe 2 + 2 = 5... but I have the following questions:
Do you have any log from your LDAP server showing whether it received
the client certificates and accepted them, or if they were rejected ? As
Nelson pointed out, the prior traces showed that the failure
Chris,
Chris wrote:
I'm working with my smartcard PKCS #11 module and I have 2 certificates
available that can be used for signing messages. Both certs are tied to
the same e-mail address and have the same subject.
How do the certs exactly differ ? By issuer, date, or other ? This may
be
Daniel,
Daniel Kluge wrote:
IE stores not only the root certificates, but also all intermediate
certificates, hence it is successful in putting together the certificate
chain.
IE is only successful in putting together the full cert chain if it
already has a copy of the intermediate CA cert
Chris,
Chris wrote:
When I actually sign the e-mail message is when it picks the wrong cert.
It appears to use the first certificate that can be used for signing
e-mail versus actually using the one I told it to use. If I reverse the
order that C_FindObjects returns the certificates,
Chris,
Chris wrote:
When Mozilla initially starts it does a C_FindObjects (with a max
count of 16 or so) for all certificates on the token. I return both
certificates at this point because the only search attribute is
CKA_CLASS == CKO_CERTIFICATE, no other search attributes are present
Michael,
Michael Ströder wrote:
Ben Bucksch wrote:
Julien Pierre wrote:
the private key could have been sent to the CA if it required key
escrow during enrollment,
Eh, but the software (i.e. Mozilla) will clearly and obviously tell me
about it in any and all cases, won't
Chris,
Chris wrote:
Sure, I can take a look when I get a chance. If you have some pointers
of where to look first that might be helpful. I don't know when I'll
get around to doing this though.
I'm currently using Mozilla RC3 on Debian Linux and Win32. Debian
version is the Debian
Wan-Teh,
Wan-Teh Chang wrote:
yz wrote:
Hi,
I have installed a certificate and I can digitally sign my email.
Is it possible in Mozilla to digitally sign messages I send to
newsgroups (like in OE6)?
There is a request for this feature
layered socket or a plain NSPR socket?
In other words, Julien Pierre said at one point (this discussion originally
started in the mozilla.nspr newsgroup): If it's an NSS socket doing SSL,
the fact that there is data on it doesn't necessarily mean that it's
application data. You should only
Michel,
Michel Dupagne wrote:
Hi! I would like to know why SSL SMTP 465 does not work with Netscape
Messenger, at least 4.8 and 7.0. 465 works fine with Outlook Express
4, 5,
and 6.
I hope you realize that saying SSL SMTP does not work is not nearly
enough information to diagnose your
pingzhenyu wrote:
How can I buill Nss with VC++,and how can I debug it with VC++
By following the build instructions at
http://www.mozilla.org/projects/security/pki/nss/buildnss_33.html .
Hi,
fecund wrote:
Using Mozilla 1.2 alpha, and having trouble accessing many sites when
OCSP validation is turned on. The typical error is:
Error trying to validate certificate from secure3.ingdirect.com
using OCSP - response contains a date which is in the future.
What I'd like to see
Nimesh Ray wrote:
Hello,
Can the SSL libraries provided by NSS work on other commercial embedded OSes
other than Windows and Unix? Does anyone know if this is done, and if any
issues were found related to this?
It can be done, but your embedded device will need lots of RAM to run NSS.
POC wrote:
Would it be possible to have the following 2 functions added to the
next version of the NSS public API:
CERT_CreateCertificate;
CERT_CreateValidity;
Ian McGreer indicates that the 1st function will make it in NSS 3.5.
What about the 2nd one? It too would be most useful in creating a
Patrick,
POC wrote:
Does mozilla have a API I could use to parse through a CRL? I'm
currently using Sun's CertificateFactory and calling the generateCRL()
method but I find it very slow when dealing with large CRLs 1
MB...Moreover if I build a list of such CRL objects, my JVM runs out
of
cache,
the CRL was pulled from the tokens, decoded, and freed, for every
certificate verification. Needless to say, the performance with that
method was not impressive and this is why the CRL cache was added.
-- POC
-Original Message-
From: Julien Pierre [mailto:jpierre
Patrick,
POC wrote:
About that -u option: does NSS use the URL at all? (like automatically
fetching a fresh CRL once the CRL expires), or is it just simply
stored in the cert db for the crlutil user to retrieve at a later date
(using cerlutil -L)?
I don't think NSS uses it other than
liug wrote:
4) now try to import it (I already have key3.db and cert7.db created).
pk12util -i test2.p12 -d .
it gives:
pk12util: PKCS12 decode validate bags failed: The user pressed cancel.
any ideas?
thanks!
frank
Did you specify a password on your p12 file when you created it ?
liug wrote:
Nelson B. Bolyard [EMAIL PROTECTED] wrote:
liug wrote:
How can I use the NSS tools to convert a openssl generated
key pem file to netscape key3.db ?
I believe there is some OpenSSL program that will create a .p12 file
(a.k.a PFX file) from your key/cert. Mozilla can import
Nelson B. Bolyard wrote:
.p12 files contain the nickname for the certs. When mozilla imports a
cert from a .p12 file, it uses the nickname found in the .p12 file.
If I'm not mistaken, iPlanet web server requires that the server's cert
have a particular nickname. It's possible that this was a
Tom,
tom glaab wrote:
All my certs are current and issued by the same CA. The subject is
different, though not by much (basically a firstname.lastname.serial).
The reason I have multiple certs from the same CA is political, and
the older, primary cert has more functionality but I have to keep
Hi,
tom glaab wrote:
Julien Pierre [EMAIL PROTECTED] wrote
In truth, most people do not have more than one valid cert per issuer
with a different subject, much less more than one valid cert for more
than one issuer.
I'm in the minority then, and it is annoying. I've had a corporate
cert
Hi,
Remo Inverardi wrote:
Caption: Alert, Message: localhost has received an incorrect or
unexpected message. Error Code: -12227
This means SEC_ERROR_REVOKED_KEY .
Are you using any means of certificate or key revocation ?
Eg. OCSP, CRLs, or CKLs ?
Is PKCS#11 support in Mozilla actually
Christoph Brueckner wrote:
hi,
NSS is using the softoken as internal pkcs#11 module.
Is it possible to turn the softoken into a
real standalone pkcs#11 module, which can be
used by other applications beside Netscape/Mozilla?
What is this cryptoki framework (ckfw) all about?
Is it possible to
Ray,
Ray Charbonneau wrote:
We run our own Netscape CA, and have included the appropriate certs in
our Netscape 4.7x installation package. These certificates appear in
the Mozilla Certificate Manager when I upgrade a profile from Netscape
to Mozilla.
How can I include these certs in new
boutteau wrote:
I am loocking for a tool kit to do file signature:
1) select a file
2) select a certificate
3) sign the selected file with the certificate
4) create .zip with 2 files :
- selected_file.ext
- selected_file.ext.sig
Second tool is to verify than a
Henrik,
Henrik Gemal wrote:
How does Mozilla select certificates to show to a webserver when the
server asks for a certificate?
The web server firstsends Mozilla a list of valid CA certificates from
which it will accept client cert.
Mozilla then looks through the available client certs. The
Stephen Henson wrote:
Although a server sending an empty list is strictly speaking illegal in
SSL/TLS some implementations will tolerate it and interpret it as any
CA.
No idea if Mozilla does though...
NSS enforces the SSL/TLS specs and will not tolerate an empty CA cert
list from the
POC wrote:
Hello,
I have a NSS server app that decodes CRLs all day long (a poor man's
OCSP responder). However this app has a memory leak. I'm using the
CERT_DecodeDERCrl() function. This function returns a pointer to a
CERTSignedCrl object (call it signedCRL). What is the right way to
release
Patrick,
POC wrote:
Hello,
I create a CERTCertificate object using CERT_FindCertByName() and then
destroy it using CERT_DestroyCertificate(). However the cert.h file
states this about the function:
** NOTE: certificate's are reference counted. This call decrements the
** reference count, and if
Luis Fernando Pardo wrote:
Are you sure Netscape 6.2 is implemented over Mozilla 1.3b?. In
www.mozilla.org I have read that Netscape 7.02 is based on mozilla
1.0.2. If it is true, my component will not work with netscape.
Netscape 7.02 is based on Mozilla 1.0.2 .
Netscape 6.2 is based on some
Shawn,
Shawn Carnell wrote:
Has anyone else tried to build an apache module that uses NSS? I have.
It's not going so well.
For what purpose are you trying to use NSS ?
Are you trying to implement the SSL front-end of Apache with NSS (ie. an
alternative to the old mod_ssl) ?
And what version of
Richie,
Richie B. wrote:
I have a customer who is running IIS 5.0. We need to contact a page on
that server that is protected with SSL and requires client
certificates. I have imported the client certificate in Mozilla 1.4 on
Linux. When I access the page, the server responds:
HTTP 403.7 -
Patrick,
POC wrote:
I have to large CRLs, one is ~2.3MB the other ~2.7MB that I have
successfully imported in my cert8.db. I actually see the 2 files
created in cert8.dir.
Check that crlutil -d . -L can decode and list the CRLs properly.
However now my NSS server app core dumps...
Without the
Jean-Marc,
Jean-Marc Desperrier wrote:
Julien Pierre wrote:
[NSS DB access not multi-process safe]
Solving this problem involves using a new database format. The NSS
team researched the issue of licensing other database code that didn't
suffer from the single-process limitation, but none
Robert,
Robert wrote:
Hi!
I'm currently developing a password manager application for the
Windows platform which monitors the Mozilla password file (12345678.s)
and stores the password entries on a smart card. Ideally, the
passwords should be written to Mozilla's password file when the card
is
LiuPeng,
liupeng wrote:
Thanks for Julien Pierre answer!
I want to do a low-level RSA encrypt for my proprietary application and I
use smart card (gd spk) as my hardware device(Both the public key and the
private key stored in smartcard).
Firstable, to do an RSA encrypt using a public key, you
Julien Pierre wrote:
Khaled Hassounah wrote:
Try adding a call to NSS_SetDomesticPolicy() . This will enable all the
domestic ciphers.
Setting followup to netscape.public.mozilla.crypto .
___
mozilla-crypto mailing list
[EMAIL PROTECTED]
http
Hi,
yangbingyu wrote:
I'm trying to use a SSL server with NSS,but I get a error that is
-12199(No certificate authority is trusted for SSL client
authentication),
The error is quite explicit. In the server database, you need to add the
CA certificates that you trust for client authentication,
Scott,
Scott Rea wrote:
OK, we require them, how do we get them added to the list of future
fuctionality and what is the usual timeframe for something like this to
make it from design to release?
The first step to get this into Mozilla would be to file a bug in
bugzilla, of type enhancement
Adrian M wrote:
Hi...
Does someone know if they allow now 128 bit encryption in France ?
( it used to be that only 56 bit encryption can be used in France ).
Is mozilla.org concerned about this ( maybe offering a special browser
that uses only 56 bit encryption or something like that ).
Thanks.
Scott,
Scott Rea wrote:
This is exactly my issue - thanks for putting it so succinctly Nelson!!
You should be able to import the CRL into Mozilla using an LDAP URL,
such as
ldap://strange:1389/uid=ca,dc=netscape,dc=com?certificaterevocationlist;binary
. Of course the URL must match your
Scott,
Scott Rea wrote:
I am doing this on a Windows 2000 box and an LDAP URL opens the Windows
Address Book [not very helpful] whether I enter the URL in IE or
Mozilla. How can I get Mozilla to do the same as it does for *.crl files
that are entered into the address bar?
Woops. Looks like
Nicholas Wright wrote:
Yes - but signtool doesn't recognize cert8.db. How do you sign things now?
If you get a full distribution of NSS 3.8, or build it yourself, the
signtool will work with cert8.db .
___
mozilla-crypto mailing list
[EMAIL PROTECTED]
Keith wrote:
Hi, I am attempting to build an application that requires the NSS
libraries. When I downloaded the current tarball (version 3.8) for
Darwin (OS X), the lib directory is empty. This is not the case in
tarballs for other OSes.
Hmm, indeed, that's quite odd. We will look into this.
Hi,
[EMAIL PROTECTED] wrote:
I have a PKI with 3 levels:
1. A root self-signed certificate at the first level
2. Sub certification authorities certified by the first one at second level
3. User certificates certified by second level authorities at third level.
That is a fairly typical PKI.
All
Jean-Marc,
Jean-Marc Desperrier wrote:
All in one, I don't think it's a good pratice at all not to include this
verification inside the crl check function.
There is no client that should have a need to continue to trust an
outdated crl.
It's standard practice that if the only available crl is
Jean-Marc,
Jean-Marc Desperrier wrote:
Is there a way to get PSM to make any use of the crl distribution point
(crldp) extension ?
How is it handled within NSS ? (I could check the source/doc. I will if
nobody feels inclined to respond)
Or you could type distribution point in bugzilla query
Jean-Marc,
Jean-Marc Desperrier wrote:
In many situations, eg. if your client (or even server) is in a
submarine, with no available connection to the outside world to
download a newer CRL, it may be acceptable to use the latest CRL
available, even if the nextUpdate has passed, than to fail
Jean-Marc,
Jean-Marc Desperrier wrote:
This is not currently supported in NSS. See bugzilla 133191 .
At this time, the only CRL format supported by NSS is full CRLs.
Sorry Julien, there's a confusion here.
The one I was talking about is the certificate extension, which is named
CRL
LiuPeng wrote:
Does anyone know how to build nss release version in solaris,I use 'make
nss_build_all' to build debug version,how to build release version?
Just set BUILD_OPT=1 in your environment, then make nss_build_all .
___
mozilla-crypto mailing
[EMAIL PROTECTED] wrote:
I wouldn't mind some fame and glory, if I find the time I'll go for
it... actually I am building a so called .NET P/Invoke Layer for NSS to
give it to the Mono project. I have much mor side work to do just to get
a decent number of NSS-compatible PKCS#11 modules and I
Nelson,
Nelson B wrote:
3. If I'm not mistaken, NSS 3.9 *should* be a drop in replacement for
NSS 3.7 and later, so it should be possible to simply install the NSS 3.9
shared libraries over the older ones in existing products. No need to
wait for a new product release to use the new NSS. (Be
POC wrote:
Julien,
Could you refresh my memory about FIPS mode? How do you turn it on in
NSS (what API call) and if not on, what does that entail for an NSS
app?
FIPS mode is a higher security mode of operation. You will get a lot
more token password prompts, and private keys cannot travel
Mark,
Mark Thacker wrote:
So, two questions please :
* Is it possible to convert a cert8.db into a cert7.db , or at least
extract what I need out of it?
No program exists to do that, only in the other direction.
* What version of NSS (and NSPR) is needed to generate cert7.db
formatted
moonwulf wrote:
Hello,
I have a problem using the pkcs11 library. I am working under linux, and using
gcc. I load the libcryptoki.so dynamically.
Who makes that libcryptoki.so ? Is that a known good PKCS#11 library ?
Please try it with an existing PKCS#11 application, such as Mozilla or
the NSS
Jean-Marc,
Jean-Marc Desperrier wrote:
Nelson B wrote:
Duane wrote (quoting me):
I was under the impression, that mozilla (the browser) was like MS
IE in
that it automatically checked based on CRL urls in certificates...
Once a mozilla user primes the pump by loading the first CRL, then
Alex,
Deacon, Alex wrote:
1) Although the option to perform cert validation (either via OCSP or CRL)
should be a user configurable option, I believe that the application should
ship with this option turned ON by default.
It would be nice, but I wonder how many users would complain about all
Hi,
Deacon, Alex wrote:
VeriSign has spent a lot of time and effort recently ensuring that not only
do our OCSP services work, but that they will continue to work as the load
increases. Clearly there is no excuse for any CA, especially VeriSign, to
have a faulty OCSP implementation...especially
Frank,
I think you have just opened a big can of worms with this Certificate
policy.
- It should be called a Mozilla Certificate authority policy, not
Certificate policy. I don't think there is any plan to include any
non-CA certificates.
- I think the term default certificate database is
Frank Hecker wrote:
Julien Pierre wrote:
- It should be called a Mozilla Certificate authority policy, not
Certificate policy. I don't think there is any plan to include any
non-CA certificates.
I originally called it the Mozilla CA Certificate Policy, but changed it
just to have a shorter
This tool has not worked in years, since the cert/key databases got
moved to the softoken PKCS#11 module . It would be quite difficult to
get it to work again. We still keep the source in the tree, but it is
not buildable as you found out.
Ariadne wrote:
Hi,
Has anyone gotten dbck to compile,
Ian,
Ian Grigg wrote:
While you were worried about some mythical man
in the middle sneaking in and stealing your
password for no good purpose (the bank/fund
would be covered against that in general), you
were probably being robbed blind by your mutual
fund.
Those banking/fund protections may
Jean-Marc,
Jean-Marc Desperrier wrote:
So if you do CRL checking at all, there are good reasons to report this
check as failed if you only have access to a CRL whose nextUpdate is in
the past. Except of course if you have an date argument in the check
that says Check validity for *this* date
David Ross wrote:
Duane wrote:
We are talking about MONEY and PRIVACY. How much risk are you
willing to take with these?
So I take it you remove a lot of certificates from your copy of Mozilla
then?
I have disabled all CA certificates on my PC except those of the
three CAs vetted by the
Duane,
Duane wrote:
Those banking/fund protections may apply in some cases in the USA, but
they certainly don't always in other countries. If someone steals your
credit card number in France, you may still be liable. So SSL security
plays a much more important role than you think. I know this
Ian,
Ian Grigg wrote:
So SSL security
plays a much more important role than you think. I know this from
experience.
You have experience of someone stealing your
credit card over a connection? That's something
I'd like to hear about. It would be very useful
to apply some statistics to the
Jean-Marc,
Jean-Marc Desperrier wrote:
Wan-Teh Chang wrote:
If you would like to see this fix in NSS 3.9.1, please
add a comment in Bug 53133 and we can work with John
Myers to get his fix into the right NSS cvs branch.
I did that, and I could also verify it as fixed in the Mozilla trunk.
Jean-Marc Desperrier wrote:
Currently the defined maximum for NSS is *infinite*.
If there's any crl available for checking, however old, the check will
*never* return crl outdated. This is not configurable.
This in my opinion makes the CRL checking in NSS ineffective.
When the NSS chech says
Ian Grigg wrote:
Jean-Marc Desperrier wrote:
I didn't say exactly that. I reported I heard the level of protection
is lower in America, but I don't have the exact description of the
difference, I might even be proven wrong. Or it might be different
depending on the state.
I also was
Roger,
rhkelly wrote:
So this proposal would be that Mozilla would get away of imposing to
all users a single built-in trusted CA, but instead distribute
several trusted CA list, with a description of the origin of each
list, how it is created, and let the users decide what is best for them.
Jean-Marc,
Jean-Marc Desperrier wrote:
Julien Pierre wrote:
First, let me point out that the RFC only recommends an algorithm to
verify certificates and signatures on the current date, but not at
dates in the past.
I don't want to strech the whole discussion any longer, but if you
Jean-Marc Desperrier wrote:
You mean a bank *operating* in France, Julien ?
If that's so, that's a disgusting thing to do.
You can call any consumers' association and denounce that.
If your bank really did that, they lied and cheated you.
Yes they did ...
The french law is very clear. You can
Ian Grigg wrote:
I also know someone in the US who lost her credit card number over a
connection. She did a non-SSL transactions (with a business that
didn't have a cert) on a university network.
I'd be interested in establishing that - this is
the first time I've ever heard anyone claim
Ian,
Ian Grigg wrote:
The point in auditing the CAs is that it's better than not auditing
the CAs at all.
It's not an absolute. There is no point in auditing
the CAs if it achieves little or nothing, in terms of
security, and costs money.
True, but I lost you after the if. I think the
Jon Maber wrote:
The question is this: is it possible for the server that issues/stores
user certificates to instruct the PKCS#11 Module not to store the
private key (or certificate) in any kind of persistent store? There
are two scenarios where we might want to apply this, 1) when the
Duane wrote:
Julien Pierre wrote:
I don't need to tell you how vulnerable that is to snooping by all
the ISPs and relays, or any thief in between. I don't have any stats
on it, but I bet it's a significant cause of fraud.
I rate this about the same as companies that get credit card
Duane wrote:
Julien Pierre wrote:
Only if you are encrypting to the correct party, and not to a thief.
This is why we have CAs and trust.
Ian made a point of this about a Gold company using a self signed
certificate and not having a problem. At this current point in time if
I were a thief
Duane,
The idea is good, but as you point out, protocols such as LDAP already
exist to do this.
What's missing is a global (worldwide) directory that's independent of a
particular corporation of government. The key problem is that no one
entity would have the resources to host such a server.
Hi,
Jean-Marc Desperrier wrote:
Julien Pierre wrote:
[...]
My experience is that's more protection than is afforded to credit
cards in France. In particular, the quality of goods provision
means that most US merchants have flexible return policies. I have
tried returning stuff I bought
Jean-Marc,
Jean-Marc Desperrier wrote:
Julien Pierre wrote:
You can however implement what you want without NSS changes, by
wrapping the NSS certificate verification function.
By effectively reimplementing a certificate chain build algorithm.
Extending it is more like it, since you reuse
Jean-Marc Desperrier wrote:
Julien Pierre wrote:
[...]
I guess I am the only one in the world who has that option turned on,
the dialog does come up for every one of my google search and other
posts. And I know to watch for it when I submit sensitive data. It
has come up on a few occasions
Henrik,
I thought the message made it quite clear that it is a problem with the
server. There could be a lot of reasons for this, but the main one is
somebody is trying to play CA and does not know the rules of PKI. They
may have issued multiple server certs with the same serial number, or
Henrik,
Henrik Gemal wrote:
Thanx for the into Pierre.
First name is Julien actually...
2
Could you help determine the cause of this alert to I can report it to
the server admins.
I narrowed it down to these URL. To reproduces first go to:
https://i.tdconline.dk/tdco/gfx/local/sso/knap_q.gif
Gervase,
Gervase Markham wrote:
Frank Hecker wrote:
There's still the trademark issue, but I don't see why this couldn't
be handled consistently with other localization-specific changes. For
example, if the Mozilla Foundation allows the creators of the
France-localized version to include,
Jean-Marc,
Jean-Marc Desperrier wrote:
But the fingerprint of the two certificates do not match anymore, so NSS
reports them as two different certs with the same serial number.
Maybe for *that* particular case, NSS should use a fingerprint based on
the signed part of the cert.
It is annoying
Jean-Marc Desperrier wrote:
I didn't require that :-)
I believe this also means you use the same alg as Microsoft CAPI which
makes things simpler for everybody.
And the specification for that algorithm would be where ?
The signed part of them should. The unsigned part is not required to.
Can
Benjamin,
Make sure to use gmake 3.79 or later on windows platforms.
___
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
Pradnyesh Rane wrote:
Am I missing something while building NSS? Was dbopen function
dropped/added in between versions?
In NSS 3.4 and later, the database code was separated in a PKCS#11
library called libsoftokn3.so . Also, I don't believe the dbopen symbol
is exported from it . I'm not sure
Ian Grigg wrote:
It seems to be that every new product there
is faced with four choices:
1. do no security;
2. do a quick and nasty home built hack
of a protocol;
3. create a good, aligned, secure,
precise and appropriate crypto protocol;
4. use a standard tool that is already
1 - 100 of 221 matches
Mail list logo