Howard Chu wrote, On 2008-08-12 19:12:
That was the other point I was trying to make about global state... It's
common practice to set up services with private CAs, so that random nosy
clients cannot connect to them. In an OpenLDAP proxy installation you'll
have one server cert/key and
On Wed, Aug 6, 2008 at 1:11 PM, Eddy Nigg [EMAIL PROTECTED] wrote:
In other words, Comodo would issue multiple certificates for the very
same domain name? You could have multiple valid certificates for
www.mozilla.com?
Technically, there is absolutely nothing wrong with this. Multiple
IPs
Howard Chu wrote:
Nelson B Bolyard wrote:
Howard Chu wrote, On 2008-08-10 03:30:
When one considers all the important reasons to choose a crypto
implementation, support for one file format which is not used in any
standard protocols (e.g. TLS, SMIME) doesn't seem like a biggie.
The issue
Howard Chu wrote:
Likewise in the Mozilla Browser/nss_ldap situation, the credentials
needed for LDAP authentication will probably be quite different from the
credentials needed for web browsing or personal addressbook lookups. It
would be extremely bad if simply using Mozilla on a system
Hi,
SignerInfo crashes firefox 3 in Windows. Below I put the code and the
log files with Firefox 3.0.1
I have found a page about this bug.
http://support.mozilla.com/tiki-view_forum_thread.php?locale=ltforumId=1comments_parentId=86104
But there isn´t valid solution
Do you know resolve it ?
If
Robin Alden wrote:
Sure, but CAs issue certificates to IP addresses too (as we discuss below)
yet the policy does not allow for the possibility. Either the policy is
imprecise, or it is being flouted by the CAs that issue certificates for IP
addresses.
You're correct, this is a gap in our
Michael Ströder wrote:
I'd really appreciate if the OpenLDAP client libs could make use of
client certs I have in my Mozilla profile.
Don't be so sure; it's not as good as it sounds... Without the new shared DB
support in NSS, this would very likely corrupt your certDBs in short order.
E.g.,
On Aug 12, 7:37 pm, Kyle Hamilton [EMAIL PROTECTED] wrote:
Could you perhaps post your certificate chain?
-Kyle H
What is presented in the browser for the certificate chain:
http://www.tryventi.com/certissue/trust1.png
http://www.tryventi.com/certissue/trust2.png
Howard Chu wrote:
Michael Ströder wrote:
I'd really appreciate if the OpenLDAP client libs could make use of
client certs I have in my Mozilla profile.
Don't be so sure; it's not as good as it sounds... Without the new
shared DB support in NSS, this would very likely corrupt your certDBs
Howard Chu wrote:
Michael Ströder wrote:
I'd really appreciate if the OpenLDAP client libs could make use of
client certs I have in my Mozilla profile.
Don't be so sure; it's not as good as it sounds... Without the new
shared DB support in NSS, this would very likely corrupt your certDBs
Frank Hecker wrote:
Frank Hecker wrote:
I am now opening the first public discussion period for a request from
Comodo to add the Comodo ECC Certification Authority root certificate
to Mozilla and enable it for EV use. This is bug 421946, and Kathleen
has produced an information document
Looking for more information on this issue, I've looked for signed
applets that DO WORK on Firefox 3.0.1/mac osx.
Again, 'works' is defined as if the applet is signed, with a valid
cert, and chain of trust to a trusted root CA, then no scary-and-
confusing-to-a-user messages should come up.
Robin Alden:
I think an IP address is almost on the same level as a domain name, but
even here there can be problems. For example if you are willing to
validate dynamic assigned IP addresses, than this can be actively
exploited obviously. An assigned IP may belong to somebody else within a
On Wed, Aug 13, 2008 at 8:01 AM, Howard Chu [EMAIL PROTECTED] wrote:
Michael Ströder wrote:
Well, the situation of stuffing everything in a directory/file with
PEM-formatted certs is not better. And every software can have its own
cert?.db.
At least filesystems are known to safely support
Frank Hecker wrote:
Robin Alden wrote:
snip
Frank, would you consider these practices of issuing certificates to
hostnames* and also of issuing to non-internet routable IP addresses as
being something to add to your problematic practices list?
Yes, I'll do that.
Done:
Frank Hecker:
Yes, I'll do that. (Incidentally, I'm now calling it the potentially
problematic practices list, because there's a lack of consensus on the
extent to which some of these practices are problems in general.)
Frank, where is the lack of consensus exactly? Are you referring to bug
Eddy Nigg wrote:
Frank Hecker:
Yes, I'll do that. (Incidentally, I'm now calling it the potentially
problematic practices list, because there's a lack of consensus on the
extent to which some of these practices are problems in general.)
Frank, where is the lack of consensus exactly?
IIRC
Michael,
Michael Ströder wrote:
Wan-Teh Chang wrote:
Most NSS-based server applications open the NSS databases in
read-only mode, so they can run with multiple processes safely. But
client applications such as Firefox and Thunderbird open the NSS
databases in read-write mode.
According
Julien R Pierre - Sun Microsystems wrote:
Michael,
Michael Ströder wrote:
Wan-Teh Chang wrote:
Most NSS-based server applications open the NSS databases in
read-only mode, so they can run with multiple processes safely. But
client applications such as Firefox and Thunderbird open the NSS
This is definitely a Java problem, not a Firefox issue. Since Sun
does not do the OSX Java releases, the best place to file a bug report
on this issue would be http://bugreport.apple.com/ -- an Apple
Developer Center (ADC) ID is required to submit bug reports there.
-Kyle H
On Wed, Aug 13, 2008
Rich Megginson wrote:
Howard Chu wrote:
At any rate, I've committed the preliminary code to CVS so you can
tinker with it if you want. It will take a lot more beating on before
it's actually usable.
Some Red Hat folks have been working on adding NSS support to OpenLDAP.
It's almost ready
21 matches
Mail list logo