Re: Clarification regarding SEC_PKCS7VerifyDetachedSignatureAtTime
> What does this mean for building Firefox? > > If you want to build a development snapshot of Firefox against a > systemwide installed NSS, and you want to build Firefox 22 aurora at > this time, you have the following choices: > > - don't build Firefox 22 aurora until Mozilla cleaned up the > situation. > If you are waiting for that to happen, you could remind Mozilla > to either apply bug 853776 to aurora 22 > or to extend bug 858231 to cover aurora 22, too. I will apply the patches for bug 853776 to mozilla-aurora. The patch for that is going through try now: https://tbpl.mozilla.org/?tree=Try&rev=5d0543e962b6 > Let's hope this kind of situation will remain an exception and can be > avoided in the future. The expectation should be that there will be local patches in mozilla-central and mozilla-aurora whenever those patches are the fastest way to get work done for Firefox. I will do what I can to get as many patches upstreamed first but in order for Mozilla to be able to experiment and test changes we want to upstream, to minimize disruption to the other users of NSS, we should utilize the ability to have private patches in mozilla-central and mozilla-aurora more. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Announce NSS 3.15 BETA 1
About 2 weeks ago, we had announced that NSS version 3.15 will use a new directory layout. We assume that consumers and packagers of NSS will have to adjust their environment to the new layout. In order to allow you to prepare early, you may use the BETA 1 version that we have made available. http://ftp.mozilla.org/pub/mozilla.org/security/nss/beta/NSS_3_15_BETA1/src/ This isn't a general release, but only a BETA version. At this time, you should use it for experimental environments, only. Regards Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Clarification regarding SEC_PKCS7VerifyDetachedSignatureAtTime
I'm sending this explanation because I've seen several people being confused, and I anticipate the confusion might continue for a while. Since nobody else has done so yet, I'm writing this clarification in the hope it is useful to avoid future confusion. As of today, there are development branches of Firefox that require a new API, a function named: SEC_PKCS7VerifyDetachedSignatureAtTime Those Firefox development branches contain a modified version of NSS, which adds that function as a new API. This means, attempts to build those development branches of Firefox against a systemwide installed NSS will currently fail, because no released NSS version contains the required API yet. Fortunately, by now, agreement has been reached how to clean up this situation: The next version of NSS (3.15) will contain the new API that Mozilla has already added to their copies of earlier version of NSS. It will be another couple of weeks until NSS 3.15 gets released, it might be realistic to expect it around end of April. Which Firefox branches are affected? Firefox 23 = current mozilla-central - currently still using NSS 3.14.3, but with a local patch applied - expected to upgrade soon to NSS 3.15 beta (tracked in bug 858231) - in other words, hopefully it will be cleaned up very soon Firefox 22 = current mozilla-aurora - currently still using NSS 3.14.3, but with a local patch applied - I understand that Mozilla engineers are still undecided how to clean up - options are: either same as Firefox 23 or same as Firefox 21 Firefox 21 = current mozilla-beta - earlier snapshots of Firefox 21 had used this function - in the meantime this has been cleaned up in bug 853776 by removing the Firefox application code that calls the function, thereby making the new NSS API unnecessary. Firefox Boot2Gecko B2G 18 branch - uses a fork of NSS 3.14.3 with the new API added as a patch What does this mean for building Firefox? If you want to build a development snapshot of Firefox against a systemwide installed NSS, and you want to build Firefox 22 aurora at this time, you have the following choices: - don't build Firefox 22 aurora until Mozilla cleaned up the situation. If you are waiting for that to happen, you could remind Mozilla to either apply bug 853776 to aurora 22 or to extend bug 858231 to cover aurora 22, too. - if you are testing locally and you don't need to package the current development snapshot of Firefox/NSS, until the situation gets cleaned up by Mozilla, you could temporary build without --with-system-nss - if you must build Firefox 22 aurora right now, and you must have a compatible system NSS right now, then - either use the forked version of NSS that Mozilla has used, by applying the patch that you can find in the Firefox source in directory mozilla/security/patches, and install your modified version as system NSS - or use NSS 3.15 "beta 1" Let's hope this kind of situation will remain an exception and can be avoided in the future. Regards Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Removal of generateCRMFRequest
On 2013-04-08 15:21, helpcrypto helpcrypto wrote: > On Mon, Apr 8, 2013 at 12:10 PM, Anders Rundgren > wrote: >> This seems to be out of scope: >> http://lists.w3.org/Archives/Public/public-webcrypto/2013Apr/0072.html > > Hi Anders. > > > As it scopes signning: > http://www.w3.org/TR/WebCryptoAPI/#Crypto-method-sign, I suppose you > mean smartcards are out of scope. > > Until theres another alternative (dont you have one? :P), keygen and > smartcard handling could/should remain the same. > As you know, and as we have talked several times, we need something > new/better, but until then, we need to continue supporting this. > > Maybe W3C Crypto Group should consider changing their scope to > adopt/propose a new standard for all this? I think there is too much prestige and IPR associated for this to be realistic. Hordes of patent trolls are just waiting for suing the asses off Google and Microsoft. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Removal of generateCRMFRequest
On Mon, Apr 8, 2013 at 12:10 PM, Anders Rundgren wrote: > This seems to be out of scope: > http://lists.w3.org/Archives/Public/public-webcrypto/2013Apr/0072.html Hi Anders. As it scopes signning: http://www.w3.org/TR/WebCryptoAPI/#Crypto-method-sign, I suppose you mean smartcards are out of scope. Until theres another alternative (dont you have one? :P), keygen and smartcard handling could/should remain the same. As you know, and as we have talked several times, we need something new/better, but until then, we need to continue supporting this. Maybe W3C Crypto Group should consider changing their scope to adopt/propose a new standard for all this? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Removal of generateCRMFRequest
On 2013-04-08 14:52, helpcrypto helpcrypto wr ote: >>> More generally, I would like to remove all the Mozilla-proprietary methods >>> and properties from window.crypto; i.e. all the >>> ones athttps://developer.mozilla.org/en-US/docs/JavaScript_crypto. Some of >>> them are actually pretty problematic. >>> Are there any worth keeping? >>> >> signText() is used heavily by us. It would be a pity to miss it... . > > While awaiting to http://www.w3.org/TR/WebCryptoAPI/ Java applets for > client signning, signText and are needed. This seems to be out of scope: http://lists.w3.org/Archives/Public/public-webcrypto/2013Apr/0072.html > Also things like Handling smart card events or Loading PKCS #11 > modules is being use by many. > So, you _CANT_ remove > https://developer.mozilla.org/en-US/docs/JavaScript_crypto > > If you want/need more detailed discussions, dont hesitate to ask me. > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Removal of generateCRMFRequest
>> More generally, I would like to remove all the Mozilla-proprietary methods >> and properties from window.crypto; i.e. all the >> ones athttps://developer.mozilla.org/en-US/docs/JavaScript_crypto. Some of >> them are actually pretty problematic. >> Are there any worth keeping? >> > signText() is used heavily by us. It would be a pity to miss it... . While awaiting to http://www.w3.org/TR/WebCryptoAPI/ Java applets for client signning, signText and are needed. Also things like Handling smart card events or Loading PKCS #11 modules is being use by many. So, you _CANT_ remove https://developer.mozilla.org/en-US/docs/JavaScript_crypto If you want/need more detailed discussions, dont hesitate to ask me. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto