Re: xmlsec / ECDSA problem
On Sat, Feb 18, 2017 at 8:59 AM, Jeremy Rowleywrote: > It's still permitted in the policy. > > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs > /policy/#inclusion Yes, well... The policy says P-512, which doesn't actually exist. The intent is clear though. I've asked Kathleen to correct that. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
RE: xmlsec / ECDSA problem
It's still permitted in the policy. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs /policy/#inclusion Section 8. -Original Message- From: dev-tech-crypto [mailto:dev-tech-crypto-bounces+jeremy.rowley=digicert@lists.mozilla.org ] On Behalf Of Martin Thomson Sent: Wednesday, February 15, 2017 5:06 PM To: mozilla's crypto code discussion listCc: mozilla-dev-tech-crypto Subject: Re: xmlsec / ECDSA problem On Thu, Feb 16, 2017 at 4:22 AM, Gervase Markham wrote: > Did things break when we disabled it? A few things. It lasted less than a day in Nightly before we got multiple bug reports. > Do we know why Chrome decided not to support it? Two NIST curves is enough? That's my understanding. P-521 isn't busted, it's just a little inefficient and not enough stronger than P-384 (or X448) that it is worth keeping around when faced with a working quantum computer. That and the fact that more options is more code to carry, more options to signal, and so forth. I think that's the reasoning. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto smime.p7s Description: S/MIME cryptographic signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Are NSS bug fix releases still FIPS 140-2 certified?
Red Hat validated their NSS cryptographic module again at the end of 2016, using NSS v3.16.2.3-13.el7_1. See cert# 2711 in the NIST validated modules list: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2016.htm -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
[ANNOUNCE] NSS 3.28.3 Release
The NSS team has released Network Security Services (NSS) 3.28.3 No new functionality is introduced in this release. This is a patch release to fix binary compatibility issues. NSS version 3.28, 3.28.1 and 3.28.2 contained changes that were in violation with the NSS compatibility promise. ECParams, which is part of the public API of the freebl/softokn parts of NSS, had been changed to include an additional attribute. That size increase caused crashes or malfunctioning with applications that use that data structure directly, or indirectly through ECPublicKey, ECPrivateKey, NSSLOWKEYPublicKey, NSSLOWKEYPrivateKey, or potentially other data structures that reference ECParams. The change has been reverted to the original state in bug 1334108. SECKEYECPublicKey had been extended with a new attribute, named "encoding". If an application passed type SECKEYECPublicKey to NSS (as part of SECKEYPublicKey), the NSS library read the uninitialized attribute. With this NSS release SECKEYECPublicKey.encoding is deprecated. NSS no longer reads the attribute, and will always set it to ECPoint_Undefined. See bug 1340103. The full release notes are available at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28.3_release_notes The HG tag is NSS_3_28_3_RTM. NSS 3.28.3 requires NSPR 4.13.1 or newer. NSS 3.28.3 source distributions are available for secure download: https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_28_3_RTM/src/ -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
[ANNOUNCE] NSS 3.29.1 Release
The NSS team has released Network Security Services (NSS) 3.29.1 No new functionality is introduced in this release. This is a patch release to fix binary compatibility issues. NSS version 3.28, 3.28.1, 3.28.2 and 3.29 contained changes that were in violation with the NSS compatibility promise. ECParams, which is part of the public API of the freebl/softokn parts of NSS, had been changed to include an additional attribute. That size increase caused crashes or malfunctioning with applications that use that data structure directly, or indirectly through ECPublicKey, ECPrivateKey, NSSLOWKEYPublicKey, NSSLOWKEYPrivateKey, or potentially other data structures that reference ECParams. The change has been reverted to the original state in bug 1334108. SECKEYECPublicKey had been extended with a new attribute, named "encoding". If an application passed type SECKEYECPublicKey to NSS (as part of SECKEYPublicKey), the NSS library read the uninitialized attribute. With this NSS release SECKEYECPublicKey.encoding is deprecated. NSS no longer reads the attribute, and will always set it to ECPoint_Undefined. See bug 1340103. (Note that NSS 3.28.3 from the older NSS 3.28.x branch has also been released with the identical fixes.) The full release notes are available at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.29.1_release_notes The HG tag is NSS_3_29_1_RTM. NSS 3.29.1 requires NSPR 4.13.1 or newer. NSS 3.29.1 source distributions are available for secure download: https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_29_1_RTM/src/ -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto