Re: Can't unwrap key into NSS in FIPS mode

David Stutzman wrote, On 2008-12-31 11:30: > If I wrap/unwrap with a token object RSA key, I get a different error > trying to encrypt with the unwrapped AES key: > > RSA key from NSS DB: SunPKCS11-NSSfips RSA private key, 2048 bits (id > 2464323849, token object, sensitive, extractable) > pulled

Re: How do I get the certificates out of the builtin object token?

Kyle Hamilton wrote, On 2008-12-31 06:36 PST: > KyleMac:.netscape kyanha$ modutil -add roots -libfile > /Applications/Firefox.app/Contents/MacOS/libnssckbi.dylib -dbdir . > > WARNING: Performing this operation while the browser is running could cause > corruption of your security databases. If the

Re: MD5 broken, certs whose signatures use MD5 now vulnerable

Ian G wrote, On 2008-12-30 13:38: > [...] is there any difficulty with announcing today that NSS is > going to deprecate MD5 and earlier algorithms, totally, for all > purposes, including Firefox and Thunderbird. > > (Leave off the date as to when the rejection will take effect.) The NSS t

Re: MD5 broken, certs whose signatures use MD5 now vulnerable

Daniel Veditz wrote, On 2008-12-30 17:37: > Paul Hoffman wrote: >> At 1:16 PM -0800 12/30/08, Nelson B Bolyard wrote: >>> I should have written: digital signatures on certificates. The patch >>> that I wrote only affects signatures on digital certificates. >> &g

Re: Unbelievable!

Florian Weimer wrote, On 2008-12-30 13:04: > * Michael Ströder: > >> Florian Weimer wrote: >>> Even if you've got the certificate, you need to attack IP routing or >>> DNS. If you can do that, chances are that you can mount this attack >>> against one of the domain-validating RAs, and still recei

Re: MD5 broken, certs whose signatures use MD5 now vulnerable

Paul Hoffman wrote, On 2008-12-30 12:43: > At 8:39 AM -0800 12/30/08, Nelson B Bolyard wrote: >> The upshot of this is probably going to be that, in a short time, all >> the world's browsers (and PKI software in general) stop supporting MD5 >> for use in digital

Re: symmetric key issues with NSS 3.12

David Stutzman wrote, On 2008-12-30 07:55: > I was playing around with the Sun PKCS11 provider and accessing NSS > directly while in FIPS mode. It appears nss 3.12 (on Vista 32-bit) has > issues reporting key sizes both to Java and using symkeyutil directly: > > Attempting to create a 128 byte (1

Re: Installing PKCS11 on Firefox at startup

Paco wrote, On 2008-12-30 06:08: > Hi. I'm developing an extension which, for other reasons already > contains a C++ component using NSS for several tasks. > > Lately, I decided to add another task: Since we distribute a PKCS11 > module with our application, I decided to install it on Firefox > I

Re: MD5 broken, certs whose signatures use MD5 now vulnerable

Chris Hills wrote, On 2008-12-30 08:49: > On 30/12/08 17:47, Nelson B Bolyard wrote: >> I meant to add: The paper with the real facts is seen at >> http://www.win.tue.nl/hashclash/rogue-ca/ > > In the meantime, could a list of the affected CA's be made available so

Re: MD5 broken, certs whose signatures use MD5 now vulnerable

Nelson B Bolyard wrote, On 2008-12-30 08:39: > For years we've been reading stories of researchers making more and more > progress on "breaking" MD5. Well, now they've made enough progress that > it is possible to forge some certificates that use MD5 in their signat

MD5 broken, certs whose signatures use MD5 now vulnerable

For years we've been reading stories of researchers making more and more progress on "breaking" MD5. Well, now they've made enough progress that it is possible to forge some certificates that use MD5 in their signatures. You're going to be seeing a lot of breathless stuff in the media about this,

Re: Just change expiry time

Michael Ströder wrote, On 2008-12-30 04:49: > Ben Bucksch wrote: >> If we decide that a CA does not operate properly,.but we don't want to >> cause problems for users, another option would be to shorten the expiry >> date of the relevant root certs to one year or less. >> >> Technically, that shoul

Re: PositiveSSL is not valid for browsers

Ian G wrote, On 2008-12-30 05:36: > Right, you are correct that those who built the process were orienting > SSL to credit cards and protection from eavesdropping. The designers of SSL knew from the beginning of the many many uses that SSL had. The emphasis in the PR story for SSL was around cr

Re: PositiveSSL is not valid for browsers

Kyle Hamilton wrote, On 2008-12-30 04:13 PST: > (in fact, it wasn't until a LOT of people got infuriated at Netscape > over the Verisign tax that other CAs were even allowed into the > program Do you have any evidence to support that claim? SSL2 was introduced in Navigator 2, and there were man

Re: Words from Comodo?

Ian G wrote, On 2008-12-29 16:59: > As far as I heard, the CABForum was also formed or inspired from a > similar group of vendors (browsers) that got together at the invite of > the Konqueror guy to talk about phishing one day ... I think Mozilla's own Mr. Gervase Markham had something to do wi

Re: Security-Critical Information (i.e. Private Key) transmittedbyFirefox to CA (i.e. Thawte) during X.509 key/cert generation

Kyle Hamilton wrote, On 2008-12-29 01:08: > On Sun, Dec 28, 2008 at 11:26 PM, Anders Rundgren wrote: >>> [suggestion of XER snipped] >> According to a recent discussion in PKIX the only safe way dealing >> with certificates is treating them as blobs because a lot of CAs do >> not use proper DER en

Re: Words from Comodo?

Eddy Nigg wrote, On 2008-12-29 05:50 PST: > There is now an interest article at "the register": > http://www.theregister.co.uk/2008/12/29/ca_mozzilla_cert_snaf/ > > We here now some words from the house of Comodo: [snip] > Interesting that Comodo founded the CAB forum and Comodo created a > st

Re: problem with JSS-based custom RMI factory

alex.agra...@gmail.com wrote, On 2008-12-29 01:27: > On Dec 28, 5:02 pm, alex.agra...@gmail.com wrote: >> I'm trying to create a simple Java RMI application with a custom >> factory that uses JSS SSL classes. Sorry for the lack of earlier reply. Most (actually all) of the NSS/JSS team is official

Re: dropping the root is useless

David E. Ross wrote, On 2008-12-28 21:40 PST: > Now that it is known that a subordinate reseller operating under one CA > issued certificates without authenticating the identity of the > subscribers, we know that the theoretical concern expressed (before all > this) about resellers is no longer

Re: Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation

Michael Ströder wrote, On 2008-12-28 04:38 PST: > Nelson B Bolyard wrote: >> I also think we need a page or two on developer.mozilla.org that fully >> documents both the tag and the crypto.generateCRMFRequest method. > > +1 > >> The existing documentation is v

Re: Security-Critical Information (i.e. Private Key) transmittedbyFirefox to CA (i.e. Thawte) during X.509 key/cert generation

Anders Rundgren wrote, On 2008-12-28 07:52: > [...] most organizations are more concerned about sent data than received > [...] This is one reason (out of many) that Mozilla's S/MIME mail clients require that the sender be an implicit recipient of any encrypted messages sent. It ensures that the s

Re: Unbelievable!

Kyle Hamilton wrote, On 2008-12-27 15:56: > I am a user. I am worried about MITM attacks. > > Unlike most users, I'm technically and legally savvy enough to know: > 1) Why to perform my due diligence > 2) How to perform my due diligence > 3) How to add the root into my store > > However, I have

Re: Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation

Fost1954 wrote, On 2008-12-27 06:54: > *_With other words (adapted from N. Bolyard):_* > > "b) Is there any way for a Firefox user to detect that his CA has requested > [the] private key [to be transmitted] ?" > > _Possible Answer by Kaspar Band: _ "...an "Encryption Key Copy" warning > dialog w

Re: Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation

Kaspar Brand wrote, On 2008-12-27 03:21: > Michael Ströder wrote: >> I personally don't know whether the current Mozilla implementation of >> crypto.generateCRMFRequest includes the private key of an encryption >> cert. > > Only if you tell it do so, and only if it's a key-exchange-only key. [1]

Re: Avoid incorrect issuing of Certificates

Kyle Hamilton wrote, On 2008-12-26 18:10 PST: > I note that the WebTrust audit seal that Robin provided links to only > mentions auditing in relation to EV certificate issuance, and does not > address anything at all outside of that scope. Here are some Comodo seal numbers that I found: 212 537 6

Re: Avoid incorrect issuing of Certificates

patri...@certstar.com wrote, On 2008-12-26 14:52: > Lately we have all seems that the certificate system is not 100% > secure - mistakes happen. It might never become fully bullet proof but > one simple change might help a lot. > > How about creating certificate type that is registered in a centr

Re: Unbelievable!

ro...@comodo.com wrote, On 2008-12-26 03:28: >We have finished our initial investigation on the certificates > issued by Certstar. > > Of the 111 orders that had been placed through Certstar there remain > 13 orders for which we have still not been able to gather adequate > evidence of the ap

Re: Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation

Kyle Hamilton wrote, On 2008-12-25 12:15: > among other things, because is not a standardized mechanism. True, but neither is crypto.generateCRMFRequest. There is no standardize html or JavaScript feature for this purpose. ___ dev-tech-crypto mailing li

Re: WebTrust

David E. Ross wrote, On 2008-12-24 19:42: > At one time, the WebTrust Web site included a page that listed > certificate authorities that had obtained the WebTrust seal. The page > was at . > > That link no longer deals with WebTrust seals. The URI redirects

Re: JSS doesn't support AES key unwrapping

alex.agra...@gmail.com wrote, On 2008-12-24 11:32: >> oh? This is the first report of this problem that I recall seeing. > > Here is a similar report that I was referring to: > http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/01028c36412d94bf Hmm. That message never r

Re: Unbelievable!

Kyle Hamilton wrote, On 2008-12-24 14:53: > On Wed, Dec 24, 2008 at 2:46 PM, Eddy Nigg wrote: >> On 12/25/2008 12:36 AM, Kyle Hamilton: >>> To be honest, Mozilla doesn't distribute keytool with Firefox, which >>> means that I have to try to go into the (unbatchable) interface and >>> remove the fl

Re: dispute resolution procedures for Mozilla CA module

Kyle Hamilton wrote, On 2008-12-24 14:42: > Thanks for the explanation. > > I do agree that the separation of responsibility would be good, since > Frank (appears to?) does the actual CA approval Yes > and you appear to be the one primarily who implements his directives as > regards the update

Re: Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation

Kyle Hamilton wrote, On 2008-12-24 13:49: > Firefox does not send any private key. > http://en.wikipedia.org/wiki/Certificate_signing_request provides a > very good overview of what it does. The answer is not that simple. The cited wiki page explains PKCS#10 Certificate Signing Requests (CSRs).

Re: Unbelievable!

Paul Hoffman wrote, On 2008-12-24 09:55: > At 9:14 AM -0800 12/24/08, Kyle Hamilton wrote: >> I'd like to see an extension that allows other certificates (for the >> same public key) to be included in a certificate (self-signed or not). > > Are you asking for a Mozilla extension or a PKIX extensio

Re: dispute resolution procedures for Mozilla CA module

Kyle Hamilton wrote, On 2008-12-23 21:20: > On Tue, Dec 23, 2008 at 6:16 PM, Nelson B Bolyard wrote: >> Anyway, I would support the creation of a "CA certificate" non-code module. > > I think this would be a really good idea. I'm aware that my opinion > carrie

Re: CA liability. was: Publishing CA information documents in PDF format

Kyle Hamilton wrote, On 2008-12-24 08:39: > On Wed, Dec 24, 2008 at 4:25 AM, Ian G wrote: >> PS: on an earlier comment, check this out: >> >> http://blogs.technet.com/mmpc/archive/2008/11/06/malware-and-signed-code.aspx >> >> This is, IMHO, the sort of work that Mozilla should be treating as more

Re: dispute resolution procedures for Mozilla CA module

Ian G wrote, On 2008-12-23 05:58: > 3. How to resolve a dispute. This is a Mozilla action & > responsibility. Reverse-engineering and referring, I would suggest this > as a teaser: > >a. The CA certificate "module owner" at Mozilla foundation is > responsible. Ref, the policy, pt 15.

Re: JSS doesn't support AES key unwrapping

I wrote, On 2008-12-23 11:53: > Please file a bug in bugzilla.mozilla.org, product JSS, and put all > the above information into that bug. Glen filed a bug based on this report. (Thanks, Glen) See https://bugzilla.mozilla.org/show_bug.cgi?id=470982 __

Re: JSS doesn't support AES key unwrapping

alex.agra...@gmail.com wrote, On 2008-12-23 02:59: > When I try to unwrap AES key via JSS API, I get the following > exception: > > cipher = Cipher.getInstance("RSA", jssProvider); > cipher.init(Cipher.UNWRAP_MODE, wrapKeyPair.getPrivate()); > Key unwrappedKey = cipher.unwrap(wrappedData, "AES", >

Re: Building NSS on Vista

ps_mitrofa...@mail.ru wrote, On 2008-12-22 09:30: > On 22 дек, 20:08, Nelson B Bolyard wrote: >> ps_mitrofa...@mail.ru wrote, On 2008-12-22 08:45: >> Please supply more output from the gmake run, like (say) the last 20 >> lines of output > > There is building log(but

Re: Building NSS on Vista

ps_mitrofa...@mail.ru wrote, On 2008-12-22 08:45: > On 22 дек, 19:14, Nelson B Bolyard wrote: >> ps_mitrofa...@mail.ru wrote, On 2008-12-22 03:33: >> >>> Hi. I'm asking for help :) When I try to build NSS on Windows Vista, >>> I've go build_coreconf er

Re: Can't unwrap key into NSS in FIPS mode

alex.agra...@gmail.com wrote, On 2008-12-21 08:02: > I'm working with NSS from JAVA (via JAVA 6 PKCS11 provider on RHEL 5). > My NSS database is configured for FIPS-140 mode. And I try to wrap/ > unwrap AES key with RSA public/private key pair as follows: > > // open NSS keystore > char[

Re: delta crl support

sg4all wrote, On 2008-12-22 06:46: > Dear all, > > does the current version of nss already support delta crls? No. Presently, No version of NSS supports delta CRLs. There are no definite plans to do so, at this time. It has been on the wish list for a long time. > I can only find old informa

Re: Building NSS on Vista

ps_mitrofa...@mail.ru wrote, On 2008-12-22 03:33: > Hi. I'm asking for help :) When I try to build NSS on Windows Vista, > I've go build_coreconf error 1. Is it possible to build NSS on Vista ? > If it is possible, then please tell me how? Sounds like you might have had one or more of these issue

Re: DSV/S-TRUST root inclusion request

According to my mail client, Ian G wrote on 2008-12-17 04:11 PST: [paraphrasing liberally: Europeans let their legislatures do their engineering.] Lot of countries have created their own legislation or regulation for security software, and then sat back and waited for others to implement their

Re: A tip for novice users of SSL_BadCertHook and SSL_PeerCertificate

DanKegel wrote, On 2008-12-18 12:12: > http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1088928 > says "To obtain the certificate that was rejected by the certificate > authentication callback, the callback function calls > SSL_PeerCertificate." The sentence above could be clar

Re: DSV/S-TRUST root inclusion request

Eddy Nigg wrote, On 2008-12-17 02:31: > On 12/17/2008 08:54 AM, Nelson B Bolyard: >> But I did dig up the URLs for the 4 CA certs, and examined those certs. >> Each of them has a separate subject name, public key, subject key ID, >> authority key ID, and of course val

Re: DSV/S-TRUST root inclusion request

Eddy Nigg wrote, On 2008-12-16 18:20: > On 12/17/2008 03:42 AM, Nelson B Bolyard: >> Do the new certs for S-TRUST have the same key, or do they have >> different keys? If they have different keys, do they also have different >> subject names? >> Do they have dif

Re: DSV/S-TRUST root inclusion request

Frank Hecker wrote: I've decided to make S-TRUST the next CA to enter the public discussion period. (I need to do a little more work for KISA, T-Systems, and Microsec, the other CAs near the top of the list.) S-TRUST is operated by Deutscher Sparkassenverlag (DSV), which has applied to add four

Re: NSS and PKCS#11 versions of modules

Robert Relyea wrote, On 2008-12-10 17:12: > Nelson B Bolyard wrote: >> I think you're talking about a common implementation where the token and >> reader are one and the same, and the act of connecting the token also >> connects a new reader. One way to implement t

Re: NSS and PKCS#11 versions of modules

Martin Paljak wrote, On 2008-12-10 03:50: > On 10.12.2008, at 8:08, Nelson Bolyard wrote: >> Robert Relyea wrote: >>> Martin Paljak wrote: Thanks for tips! Could you point me to the line in spec where it says that slots can only be added. I cant find the place where it forbids remo

Re: UTF8 support in the Firefox certificate store?

[EMAIL PROTECTED] wrote, On 2008-12-09 01:55: > Just uploaded the certificate in DER and PEM file format. > It can be found here: > www.boraxx.nl/Mozilla/Thai.der > www.boraxx.nl/Mozilla/Thai.crt The CN and OU attributes in that cert, which (as I understand it) you have said are UTF8 strings, are

Re: Why does SSL_GetChannelInfo return a 0 channel.cipherSuite?

Wan-Teh Chang wrote, On 2008-12-08 17:38: > In NSS's SSL test programs selfserv.c, tstclnt.c, and strsclnt.c, we have > code like this: > > 139 result = SSL_GetChannelInfo(fd, &channel, sizeof channel); > 140 if (result == SECSuccess && > 141 channel.length == sizeof channel && > 1

Re: Can NSS ECC algorithms be used for IPSec?

[EMAIL PROTECTED] wrote, On 2008-12-08 07:00: > I see, that NSS has many crypto algorithms. I'm trying to make crypto > plugin for IPSec. I need to use ECC algorithms (ECDSA, ECDH). So. Are > the NSS ECC algorithms compatible with IPSec (I mean key strength)? In ECC, key strength is determined by

Re: Creating a Global User-level CA/Trust Infrastructure for Secure Messaging

Ian G wrote, On 2008-12-04 05:38: > The first cause of the failure to use SSL for security is that https > cannot be easily shared across one IP numbers, a crucial, limited > resource. What does "https cannot be easily shared across one IP numbers" mean? ___

Re: UTF8 support in the Firefox certificate store?

[EMAIL PROTECTED] wrote, On 2008-12-06 06:13 PST: > I have created a X.509 v3 client certificate using OpenSSL. > > The CN and OU field contain UTF8 characters, in this case Thai > characters for testing purposes. > [...] when I import the certificate into Firefox (3.04) and view the > certifica

Re: Creating a Global User-level CA/Trust Infrastructure for Secure Messaging

Eddy Nigg wrote, On 2008-12-05 04:48: > On 12/05/2008 09:17 AM, Nelson Bolyard: >> Ian, >> >> Now, in contrast to that, I have been led to believe that Skype's: >> - protocols, security designs and parameters are proprietary, secret, have >> not been openly published, and thus not subjected to publ

Re: Mozilla CA Certificate Policy - Useful?

Ian G wrote, On 2008-12-04 22:58: > (I discovered some other oddities about S/MIME recently: revocation > seems to be incongruent with key distribution. I can distribute a new > cert only in an S/MIME signed email, but I can't distro any updates to > my key situation. When I lose a key, all

Re: NSS and PKCS#11 versions of modules

Martin Paljak wrote, On 2008-12-05 07:03: > Hi! > > PKCS#11 modules advertise its versions in two different places: in the > structure returned by C_GetFunctionList and in C_GetInfo. What happens > if those versions mismatch or which one has higher priority? Answering only for NSS, NSS igno

Re: Mozilla CA Certificate Policy - Useful?

Kyle Hamilton wrote, On 2008-12-04 10:57: > On Sat, Nov 29, 2008 at 3:57 PM, Frank Hecker > <[EMAIL PROTECTED]> wrote: >> The primary reason CAs apply to have certificates included into NSS, and the >> primary reason we have a policy about this, is because CAs want their >> customers' SSL certific

Re: Creating a Global User-level CA/Trust Infrastructure for Secure Messaging

Kaspar Brand wrote, On 2008-12-03 08:36 PST: > http://sni.velox.ch/httpd-2.2.x-sni.patch is working pretty well for > 2.2, though (have a look at https://sni.velox.ch). Kaspar, Thank you for building and maintaining that web site. It is the ONLY web site known to me that implements SNI. I use it

Re: NSS_Initialize failed. NSS with apache 2.2.10 (mod_nss 1.0.8)

Stefan Kirchner wrote, On 2008-12-02 02:11: > Hello NSS community, > > I am trying to integrate NSS 3.12 into apache 2.2.10 via mod_nss 1.0.8 (on > RHEL 5.2). I want to use SSL over NSS > and I always get following error messages while starting the webserver: > [Tue Dec 02 11:02:02 2008] [error]

Re: could someone explain this strange JSS/NSS behavior?

David Stutzman wrote, On 2008-12-01 06:16: > -Original Message- >> Interesting. Haven't seen that one before. >> Please file a bug in bugzilla.mozilla.org, product NSS, component >> tools. > https://bugzilla.mozilla.org/show_bug.cgi?id=467344 Thanks for filing the bug. In the bug, you s

Re: Creating a Global User-level CA/Trust Infrastructure for Secure Messaging

Michael Ströder wrote, On 2008-11-27 06:02: > Anders Rundgren wrote: >> >> So what is then real problem? >> >> 1. The European Smart Card industry who do not want to become suppliers >> >> of commodities. >> >> >??? >> >Each time I talked to smartcard vendors they were keen on selling their >>

Re: could someone explain this strange JSS/NSS behavior?

David Stutzman wrote, On 2008-11-28 09:51 PST: > certutil -K -d . > Enter Password or Pin for "NSS FIPS 140-2 Certificate DB": > <0> cn=foo-Signature > <1> cn=foo-Encryption > <2> cn=foo-Identity > > certutil -L -d . > cn=foo-Identity u,u,u > cn=foo-Identity

Re: Help to use PKCS 11 functions in firefox extension

Akkshayaa Venkatram wrote: >> From the mozilla tree, >> http://mxr.mozilla.org/mozilla/source/security/nss/lib/pk11wrap/pk11pub.h#109 >> >> >> I want to call the PK11 functions for encrypt, decrypt, sign, verify, >> etc.. from my Firefox extension that is written in javascript. Robert Relyea w

https server products that support SNI?

Are there ANY https server products (open source or closed) that support SNI? How about SSL libraries? Do any have server-side support for SNI? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tec

Re: WISeKey root inclusion request (re-start public discussion)

Eddy Nigg wrote, On 2008-11-24 11:35: > On 11/24/2008 07:33 PM, Nelson B Bolyard: >> The only solution to this that is apparent to me is for the web to >> evolve to the point where browsers no longer accept DNS names in >> non-standard locations in the cert, such as in th

Re: WISeKey root inclusion request (re-start public discussion)

Eddy Nigg wrote, On 2008-11-24 09:14: > On 11/23/2008 12:32 AM, Nelson B Bolyard: >> There's no foolproof test for determining if a string is a DNS name or >> some other kind of name. Various heuristics can be devised, but they >> all have problems. > > This wo

Re: Creating a Global User-level CA/Trust Infrastructure for SecureMessaging

Anders Rundgren wrote, On 2008-11-23 09:15: > Nelson B Bolyard wrote. >>> I want each organization/domain entity that can afford an SSL certificate >>> to become a virtual CA and run their own secure messaging center. > >> Why SSL certs? why not email certs? >

Re: WISeKey root inclusion request (re-start public discussion)

Eddy Nigg wrote, On 2008-11-22 04:10: > On 11/22/2008 12:32 PM, kgb: >> Mandatory inclusion of the SAN extension in a certificate is a policy >> we can apply and monitor in the future. > > To my understanding NSS ignores the subject line according to the RFC. I think you mean subject NAME, not s

Re: Creating a Global User-level CA/Trust Infrastructure for SecureMessaging

Anders Rundgren wrote, On 2008-11-22 08:33: > I want each organization/domain entity that can afford an SSL certificate > to become a virtual CA and run their own secure messaging center. Why SSL certs? why not email certs? Is it because you think that a secured IM service would be based on SS

Re: Creating a Global User-level CA/Trust Infrastructure for Secure Messaging

Ian G wrote, On 2008-11-22 07:39: > So an obvious thing is to add chat to Tbird. How to do this? Are you aware of chatzilla? It's been around for a long time. Protocols and architecture are defined in RFCs 2810-2813. Chatzilla interoperates with many other chat clients that follow those RFCs.

Re: Creating a Global User-level CA/Trust Infrastructure for Secure Messaging

Anders Rundgren wrote, On 2008-11-22 02:12: > The following is related to the S/MIME discussions. Anders, here are your choices: You may either have a) encryption using authenticated keys or b) encryption using unauthenticated keys. Certificates are used for authenticated encryption. If you don'

Re: Web signing?

Ian G wrote, On 2008-11-20 16:24: > Hi Nelson, welcome to this fun debate :) Thanks. :) > Nelson B Bolyard wrote: >> It seems to me that ANY prudent person would ask that question >> when asked to sign anything. > > Maybe they do; as you and I agree, many people do not

Re: Trouble importing test root certificate

DanKegel wrote, On 2008-11-20 16:23: > Hi folks. I'm having some trouble using CERT_ImportCerts. > A minimal demo of the problem is at >http://kegel.com/cert-import-demo.cc > First problem: > Decoding fails because NSSBase64_DecodeBuffer appears > to barf on the trailing ---END CERTIFICATE---

Re: Web signing?

Ian G wrote, On 2008-11-20 06:04 PST: > Nelson Bolyard wrote: > Um. So these tools organise a signature from a client cert over the > text in the form text box, and then post the signature up to the server? Well, I can only speak for what Mozilla browsers do. They generate a "document" that co

Re: Web signing?

Ian G wrote, On 2008-11-20 07:53: > Graham Leggett wrote: >> Having designed a system that includes "web signing" using >> crypto.signtext() for an insurance company to handle claim approvals, I >> can tell you that the primary question of the business people who used >> the system was "just wha

Re: Firefox' password manager with sqlite based NSS

Wolfgang Rosenauer wrote, On 2008-11-18 05:38: > Hi, > > I'm trying to use Firefox with an sqlite based NSS. So far all the > certificate stuff still works as expected as far as I can see but the > password manager component is broken now: > > The exposed error is this: > > Login Manager: Initia

Re: Import .cer into my .keystore

Kalukuri <[EMAIL PROTECTED]> wrote, On 2008-11-17 05:08 PST: > I am having 2 different keystores. One is having a cert for one > particular client which the other is not having. > My plan is to export the car from the first available one and import > the same into the other which is not having tha

Re: What are the problems with overspecified AKID?

Kyle Hamilton wrote, On 2008-11-16 16:25: > Thanks for the explanation, Nelson -- it's a lot more information than > I've been able to put together to this point. Though I'm not quite > sure I completely understand... > > If AKID contains an actual key ID (as opposed to the certificate ID > tuple

Re: What are the problems with overspecified AKID?

Kyle Hamilton wrote, On 2008-11-15 17:49: > What are the problems with overspecified Authority Key ID fields? > (i.e., both key ID and issuer's name/serialnumber)? I'm noticing that > it's part of the Certificate Policy v1.2 (paragraph 4, in the > 'incorrect extensions' bullet point), but I still

Re: NSS DB migration problem

Hans Petter Jansson wrote, On 2008-11-15 17:57: > On Fri, 2008-11-14 at 22:56 -0800, Nelson B Bolyard wrote: >> Hans Petter Jansson wrote, On 2008-11-14 21:54: > >>> This works for some databases, but not others. > It's on separate workstations, but in som

Re: NSS DB migration problem

Hans Petter Jansson wrote, On 2008-11-14 21:54: > I've been looking in NSS docs and ML archives for a solution to the > following problem, with no luck. Asking around on IRC, I was pointed to > this ML. Hopefully it's the appropriate forum. > > I'm trying to migrate existing NSS DBs from the old B

Re: signtool.exe

Julien R Pierre - Sun Microsystems wrote, On 2008-11-12 14:46: > The user above was using Windows, not Solaris. On Windows we didn't have > freebl shared libs in 3.10, and thus no freebl library loading was > necessary. That's true for Windows. > The simplest workaround for Windows users is t

Re: SSL version 3 - How Firefox contructs key materials for 3DES

Rusdy13 wrote, On 2008-11-12 02:25: > I've been developing a web server (research) based on ssl version 3 doc > (ssl-version3-02.txt), choosing cipher suite 0x000a (ssl-tripleDes-sha) and > using firefox browser to test the program. > > It works successfully from client hello until server finish

Re: signtool.exe

Two years ago this week, John Smith wrote to us: > When I sign using keytool.exe version 3.10 it signs OK, > When I sign using keytool.exe version 3.11 it throws this error: > > using certificate directory: C:\Documents and > Settings\myusername\Application > Data\Mozilla\Firefox\Profiles\vsw8

Re: MITM in the wild

Iang wrote, On 2008-11-07 08:22: > Bernie Sumption wrote: >> How about an MITM detection service that gives no false positives, but >> might give false negatives? If you positively identify an MITM attack, >> you can present users with a much more definite UI saying "this *is* >> an MITM attack" a

Re: MITM in the wild

Ian G wrote, On 2008-11-06 15:06: > Nelson B Bolyard wrote: >> Ian G wrote, On 2008-11-06 12:48: >>> Nelson B Bolyard wrote: >>>> What curious things do you notice about these certs? >>> Only one key? >> Yup. That's the biggie. It allows th

Re: MITM in the wild

Ian G wrote, On 2008-11-06 12:48: > Nelson B Bolyard wrote: >> What curious things do you notice about these certs? > > Only one key? Yup. That's the biggie. It allows the MITM to get by with just a single private key. > All have same Issuer + Subject? Yeah, al

Re: MITM in the wild

What curious things do you notice about these certs? Certificate: Data: Version: 3 (0x2) Serial Number: 1224169969 (0x48f759f1) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: "CN=unaportal.una.edu,O=University of North Alabama" Validity:

Re: Client authentication cores the VM if the client does not send any certificates

Dean wrote, On 2008-11-06 04:47 PST: > I entered a defect with test case for this a while back and have not > seen any comments on it. Yeah, 4 days ago. Be patient. Thanks. > https://bugzilla.mozilla.org/show_bug.cgi?id=458251 /Nelson ___ dev-tech-c

Re: MITM in the wild

Bernie Sumption wrote, On 2008-11-06 03:57: > Graham, Nelson, Eddy, you all make good points. > > I'll take your word for it that it's impossible to detect MITM attacks > with 100% reliability, as I said I'm not a security expert. > > How about an MITM detection service that gives no false positi

Re: Help Signature Verification Error: !

leszek wrote, On 2008-11-05 07:49: >> What software displayed that error message? > > I have the same error ... in the FireFox javascript: console. If you use signtool to verify the signature on your jar file, what does it report? signtool -v my.jar Similarly, what does signtool -w my.jar

Re: Help adding private CA to cert7 file with NSS 3.6

[EMAIL PROTECTED] wrote, On 2008-11-05 07:26: > On Oct 2, 3:53 pm, "Matthews, Tim R" <[EMAIL PROTECTED]> wrote: >> Hi All. I hope this is an acceptable question for this list; I've >> searched google and the archives and not found an answer. >> >> We use Remedy ARS (helpdesk ticketing system) and a

Re: MITM in the wild

Bernie Sumption wrote, On 2008-11-04 04:04: >> Is removal of the ability to override bad certs the ONLY effective >> protection for such users? > > No. If we can detect MITM attacks, the problem goes away. It does? Absence of an incomplete MITM attack does not prove the identity of the server.

Re: nss-3.10 with smartcard on obfuscated class files.

[EMAIL PROTECTED] wrote, On 2008-11-03 14:10: > 1. I insert my hardware token with "smartcard" certificate into my > DataKey reader. > 2. I move each jar file, one at a time, to my X drive, xyz folder. What kind of drive is that? USB stick? local hard drive? network file system of some sort? (NF

Re: CERTCertDBHandles and OCSP

[EMAIL PROTECTED] wrote, On 2008-11-02 14:40: > In a previous post I got recommented to use PK11SlotInfos instead of > CERTCertDBHandles. > > But in order to use the OCSP functions I need to obtain a > CERTCertDBHandle, so I assume I have to go with the default cert > database. Am I right? Yes,

Automatic list moderation changes

This mailing list is received and displayed by a web site which makes it appear to be a web-based discussion forum. See it at http://www.nabble.com/Mozilla---Cryptography-f6646.html In the past, people who read the list there and sent replies have found that their replies went unread by the rest

Re: Creating a cert. database at runtime?

[EMAIL PROTECTED] wrote, On 2008-10-29 16:07: > Hi again, > > Thanks for your reply, Robert. > > I didn't explain myself clearly (I'm a newbie with NSS). I was meaning > ways to create a CERTCertDBHandle. I am missing something similar to > the deprecated CERT_OpenCertDBFilename function. I wrot

<    1   2   3   4   5   6   7   8   9   10   >