Jean-Marc Desperrier wrote:
Ian Grigg wrote:
Jean-Marc Desperrier wrote:
He does not compute the SHA1/MD5, he returns the
cert.sha1Fingerprint, cert.md5Fingerprint value from a nsIX509Cert
object he gets back from nsISSLStatus status.
Darn. One supposes that this is authoritive,
in that NSS will also
If you don't trust NSS to be able to compute a SHA1 correctly, you
shouldn't use it to do SSL ...
I suspect there's been a misunderstanding here. I took Ian's "One supposes"
remark as an unfinished sentence, and so did not attempt to interpret it.
Jean-Marc seems to have interpreted it to mean that Ian was suggesting that
NSS will take a fingerprint value found in nsIX509Cert as a correct
fingerprint (hash) whether or not it is that.
But IINM, the values returned through nsIX509Cert are computed by NSS from
the actual DER cert itself. nsIX509Cert depends on NSS, not the other way
around. IMO, NSS is right to trust its own computations as correct.
Perhaps Ian misunderstood the dependency, or perhaps he meant something else.
Ian, maybe you should clarify your "One supposes" remark for us.
I'm not sure what to make of the word "authoritative". Anyone can compute
a SHA1 hash of anything.
/Nelson
_______________________________________________
Mozilla-security mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-security
