Re: xmlsec / ECDSA problem

2017-02-17 Thread Martin Thomson 
On Sat, Feb 18, 2017 at 8:59 AM, Jeremy Rowley
 wrote:
> It's still permitted in the policy.
>
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs
> /policy/#inclusion

Yes, well...  The policy says P-512, which doesn't actually exist.
The intent is clear though.  I've asked Kathleen to correct that.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

RE: xmlsec / ECDSA problem

2017-02-17 Thread Jeremy Rowley 
It's still permitted in the policy. 

https://www.mozilla.org/en-US/about/governance/policies/security-group/certs
/policy/#inclusion

Section 8.

-Original Message-
From: dev-tech-crypto
[mailto:dev-tech-crypto-bounces+jeremy.rowley=digicert@lists.mozilla.org
] On Behalf Of Martin Thomson
Sent: Wednesday, February 15, 2017 5:06 PM
To: mozilla's crypto code discussion list

Cc: mozilla-dev-tech-crypto 
Subject: Re: xmlsec / ECDSA problem

On Thu, Feb 16, 2017 at 4:22 AM, Gervase Markham  wrote:
> Did things break when we disabled it?

A few things.  It lasted less than a day in Nightly before we got multiple
bug reports.

> Do we know why Chrome decided not to support it? Two NIST curves is
enough?

That's my understanding.  P-521 isn't busted, it's just a little inefficient
and not enough stronger than P-384 (or X448) that it is worth keeping around
when faced with a working quantum computer.  That and the fact that more
options is more code to carry, more options to signal, and so forth.  I
think that's the reasoning.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto


smime.p7s
Description: S/MIME cryptographic signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Are NSS bug fix releases still FIPS 140-2 certified?

2017-02-17 Thread Ernie Kovak 
Red Hat validated their NSS cryptographic module again at the end of 2016, 
using NSS v3.16.2.3-13.el7_1. See cert# 2711 in the NIST validated modules list:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2016.htm
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

[ANNOUNCE] NSS 3.28.3 Release

2017-02-17 Thread Kai Engert 
The NSS team has released Network Security Services (NSS) 3.28.3

No new functionality is introduced in this release.
This is a patch release to fix binary compatibility issues.

NSS version 3.28, 3.28.1 and 3.28.2 contained changes that were in violation
with the NSS compatibility promise.

ECParams, which is part of the public API of the freebl/softokn parts of NSS,
had been changed to include an additional attribute. That size increase caused
crashes or malfunctioning with applications that use that data structure
directly, or indirectly through ECPublicKey, ECPrivateKey, NSSLOWKEYPublicKey,
NSSLOWKEYPrivateKey, or potentially other data structures that reference
ECParams. The change has been reverted to the original state in bug 1334108.

SECKEYECPublicKey had been extended with a new attribute, named "encoding". If
an application passed type SECKEYECPublicKey to NSS (as part of
SECKEYPublicKey), the NSS library read the uninitialized attribute. With this
NSS release SECKEYECPublicKey.encoding is deprecated. NSS no longer reads the
attribute, and will always set it to ECPoint_Undefined. See bug 1340103.

The full release notes are available at
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28.3_release_notes

The HG tag is NSS_3_28_3_RTM. NSS 3.28.3 requires NSPR 4.13.1 or newer.

NSS 3.28.3 source distributions are available for secure download:
https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_28_3_RTM/src/

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

[ANNOUNCE] NSS 3.29.1 Release

2017-02-17 Thread Kai Engert 
The NSS team has released Network Security Services (NSS) 3.29.1

No new functionality is introduced in this release.
This is a patch release to fix binary compatibility issues.

NSS version 3.28, 3.28.1, 3.28.2 and 3.29 contained changes that were in
violation with the NSS compatibility promise.

ECParams, which is part of the public API of the freebl/softokn parts of NSS,
had been changed to include an additional attribute. That size increase caused
crashes or malfunctioning with applications that use that data structure
directly, or indirectly through ECPublicKey, ECPrivateKey, NSSLOWKEYPublicKey,
NSSLOWKEYPrivateKey, or potentially other data structures that reference
ECParams. The change has been reverted to the original state in bug 1334108.

SECKEYECPublicKey had been extended with a new attribute, named "encoding". If
an application passed type SECKEYECPublicKey to NSS (as part of
SECKEYPublicKey), the NSS library read the uninitialized attribute. With this
NSS release SECKEYECPublicKey.encoding is deprecated. NSS no longer reads the
attribute, and will always set it to ECPoint_Undefined. See bug 1340103.

(Note that NSS 3.28.3 from the older NSS 3.28.x branch has also been released
 with the identical fixes.)

The full release notes are available at
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.29.1_release_notes

The HG tag is NSS_3_29_1_RTM. NSS 3.29.1 requires NSPR 4.13.1 or newer.

NSS 3.29.1 source distributions are available for secure download:
https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_29_1_RTM/src/

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto