'since you obviously shouldn't have different PKI UIs for signatures
and authentication'? What crack are you smoking?
In the Real World, we have a different UI for authentication -- the
principal presenting an ID card -- than the UI for signatures -- a
piece of paper, a pen, and a unique mark
I wonder how thread safe NSS' integration with libcurl actually is.
No offense Daniel but after switching to gnutils with their macros
all problems related to this matter are resolved. So be it.
Kind thanks,
JD
On 3/21/09, John D cono...@gmail.com wrote:
On 3/21/09, Wan-Teh Chang
Hi Arun,
You can follow the code in PSM that displays the server certificate when
you double-click on the lock icon in the status-bar :
http://mxr.mozilla.org/mozilla-central/source/browser/base/content/pageinfo/security.js#119
On 20/3/09 08:32, Anders Rundgren wrote:
This is a stupid discussion.
Authentication schemes in general begin with authenticating the user.
How long the authentication should be considered as valid is
not something the client-end has anything to do with unless it
has gotten some kind of
2009/3/20 John D cono...@gmail.com:
I have attempted this to the result of
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1810576496 (LWP 3177)]
0xb79e6547 in NL_VersionCheck () from /usr/lib/libssl3.so.1d
(gdb) where
#0 0xb79e6547 in NL_VersionCheck ()
On 20/3/09 22:30, Kyle Hamilton wrote:
'since you obviously shouldn't have different PKI UIs for signatures
and authentication'? What crack are you smoking?
Hey Kyle, I think you are thinking way to far ahead here...
In the Real World, we have a different UI for authentication -- the
On Sat, 21 Mar 2009, John D wrote:
I wonder how thread safe NSS' integration with libcurl actually is. No
offense Daniel but after switching to gnutils with their macros all problems
related to this matter are resolved. So be it.
I'm absolutely sure on how we use NSS in libcurl, and the
On 21/3/09 16:54, Eddy Nigg wrote:
Huu? No outcry about rudeness in mailing lists here?
Eddy, I agree that rudeness was carrying us away from the problem and on
to the personalities. Indeed, it's up to all of us to be be minded of
this. For reasons that are too wordy to be worth the
On 20/3/09 19:29, Anders Rundgren wrote:
This is a stupid comment.
Pardon me. I just don't agree with the majority of this list since
many governments and banks in the EU are working in another
direction. This may be due to ignorance
Folks, Anders is right about this worldview difference.
Kyle Hamilton wrote, On 2009-03-20 02:15:
This is a stupid comment.
Then why post it?
There are many people who think differently; I, for one, think that
server-auth is the *worse* part of TLS (because there's no branding of
what CA is responsible for the certification, there's no way to
Ian G wrote, On 2009-03-21 12:32:
It seems that we have a consensus that client
certificates (in a client authentication role at least) are unusable
with the current system. Approximately, for many reasons.
Sorry, I disagree. There are many places (companies, governments) that
use client
On Sat, Mar 21, 2009 at 1:11 PM, Nelson B Bolyard nel...@bolyard.me wrote:
Kyle Hamilton wrote, On 2009-03-20 02:15:
This is a stupid comment.
Then why post it?
Because Anders was referring to the argument as stupid, and I was
referring to his comment as stupid. (Sometimes, just sometimes,
I should also add:
The problem is not simply on the server's end, Nelson. You've been
pointing at them for years. (The DoD also doesn't use Firefox, so
they don't end up filing bugs against it anyway.)
The client was built around the same paradigm as the server. The
client paradigm is what
On 03/21/2009 09:32 PM, Ian G:
On 21/3/09 16:54, Eddy Nigg wrote:
Huu? No outcry about rudeness in mailing lists here?
Eddy, I agree that rudeness was carrying us away from the problem and
on to the personalities. Indeed, it's up to all of us to be be minded
of this. For reasons that
I wonder how is it possible to load symmetric key that is stored
inside the NSS DB via JSS API? I tried using KeyStore JCA class (as in
org.mozilla.jss.tests.KeyStoreTest example):
KeyStore ks = KeyStore.getInstance(Mozilla-JSS);
but it turns out that JSSProvider doesn't register
Kyle Hamilton wrote, On 2009-03-21 14:07:
On Sat, Mar 21, 2009 at 1:11 PM, Nelson B Bolyard nel...@bolyard.me wrote:
Kyle Hamilton wrote, On 2009-03-20 02:15:
There are many people who think differently; I, for one, think that
server-auth is the *worse* part of TLS (because there's no
Eddy Nigg wrote, On 2009-03-21 15:08:
On 03/21/2009 10:43 PM, Nelson B Bolyard:
The consensus of which you speak is actually a consensus among users of
those crappy servers that, with those servers, client auth is unusable.
I am part of that consensus. But I do not agree that changing the
On Sat, Mar 21, 2009 at 2:58 PM, Nelson B Bolyard nel...@bolyard.me wrote:
Kyle Hamilton wrote, On 2009-03-21 14:07:
No, I blame the browser UI for not exposing useful details of the TLS
protocol. The TLS protocol explicitly does not call out the handling
of server certificates: this is the
On 21/3/09 21:43, Nelson B Bolyard wrote:
Ian G wrote, On 2009-03-21 12:32:
It seems that we have a consensus that client
certificates (in a client authentication role at least) are unusable
with the current system. Approximately, for many reasons.
Sorry, I disagree. There are many places
On 03/22/2009 12:26 AM, Ian G:
Right, the problem perhaps is better expressed that some of these
comments *aren't written with emoticons at the end* so it is not easy
for those from diverse cultures to figure out the joke. Oh, and I
save my stuff for those that appreciate fine red wine ;-)
On 03/22/2009 12:55 AM, Ian G:
I don't know about these things, but I recognise that badly configured
servers are a pain. The servers I have experienced this with are
Apache. They may be misconfigured, but the sysadms aren't agreeing at
the moment, and talking about the sysadms being bad
Ian G wrote, On 2009-03-21 15:55:
I don't know about these things, but I recognise that badly configured
servers are a pain. The servers I have experienced this with are
Apache. They may be misconfigured, but the sysadms aren't agreeing at
the moment, and talking about the sysadms being
On Sat, Mar 21, 2009 at 4:32 PM, Eddy Nigg eddy_n...@startcom.org wrote:
On 03/22/2009 12:55 AM, Ian G:
Hmmm, well, many questions abound: why wasn't it done? where was this
discussed? Why didn't client certs just happen? Why are we still using
passwords?
Good questionit's because
Kyle Hamilton wrote, On 2009-03-21 15:49:
On Sat, Mar 21, 2009 at 2:58 PM, Nelson B Bolyard nel...@bolyard.me wrote:
I blame NSS for choosing not to adhere to certain aspects of the SSL
3.0 and TLS 1.0 standards (accepting a ClientCertificateRequest with a
zero-length list of identifiers of
Ian G wrote, On 2009-03-21 07:00:
After MITB surfaced (and scared the European bankers into action)
What is that? Man In The Bank?
I suppose you meant MITM, but if not, please clarify.
people in finance circles started to realise that session authentication
was a mistake from the beginning
Kyle Hamilton wrote, On 2009-03-21 16:51:
On Sat, Mar 21, 2009 at 4:32 PM, Eddy Nigg eddy_n...@startcom.org wrote:
On 03/22/2009 12:55 AM, Ian G:
Hmmm, well, many questions abound: why wasn't it done? where was
this discussed? Why didn't client certs just happen? Why are we
still using
I wrote:
Here's the TB RFE: https://bugzilla.mozilla.org/show_bug.cgi?id=437683
BTW, this client auth problem is MUCH MUCH worse for Thunderbird users than
for browser users, because evidently a higher percentage of free email
servers are crap.
I'll have to dig a bit more for the FF one.
27 matches
Mail list logo
