Re: Dan Kaminsky's DNS talk discusses SSL

Kyle Hamilton wrote, On 2008-08-21 14:31: > On Thu, Aug 21, 2008 at 10:24 AM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: >> I was informed privately that it means that Firefox shows EV chrome >> indicators, even for pages that contain some DV content. > > Er, if

Re: NSS and OpenSSL BIO replacement

Ruchi Lohani wrote, On 2008-08-21 10:44: > Thanks for all the links. > What I am looking for is specific functions to verify a signed file > (both signers certificate and the signed content). > I need to then get the signed content from the file. The program cmsutil already does all that. I sugges

Re: Dan Kaminsky's DNS talk discusses SSL

Nelson B Bolyard wrote, On 2008-08-21 10:04: > Gervase Markham wrote, On 2008-08-21 05:09: >> Nelson Bolyard wrote: >>> If you haven't already done so, read Dan Kaminsky's slides from his >>> talk at blackhat. http://www.doxpara.com/DMK_BO2K8.ppt >>>

Re: Dan Kaminsky's DNS talk discusses SSL

Gervase Markham wrote, On 2008-08-21 05:09: > Nelson Bolyard wrote: >> If you haven't already done so, read Dan Kaminsky's slides from his >> talk at blackhat. http://www.doxpara.com/DMK_BO2K8.ppt >> >> After he presents the DNS attack, he talks about SSL, certs, and what >> browsers must do to ge

Re: NSS and OpenSSL BIO replacement

Ruchi Lohani wrote, On 2008-08-20 21:31: > Thanks Nelson. > And sorry about the subject of the mail. I wanted to ask about that also. > What are the equivalent APIs in NSS which probably can replace the BIO > I/O abstraction of OpenSSL ? Years have elapsed since I last looked at the BIO functions,

Re: NSS and OpenSSL BIO replacement

Ruchi Lohani wrote: > Can anyone point me to the documentation present for pkcs7. I'm not sure if you're asking about the standards or the NSS implementations of the standards (there are multiple of each). PKCS#7 v 1.5, also known as Cryptographic Message Syntax (CMS), is RFC 2315. It was the f

Re: Trusted CA issuing SSL server certs with unvetted FQDNs!

Kyle Hamilton wrote: > 2008/8/20 Robert Relyea <[EMAIL PROTECTED]>: >> Luckily, Michael also stated that most CA's rejected his requests. But it >> only takes one CA to spoil the party. > Of course, if he doesn't provide the certificate and proof that he has > the private key to it, I'm going to b

Re: Trusted CA issuing SSL server certs with unvetted FQDNs!

Thorsten Becker wrote: > Nelson Bolyard wrote: >> On the other hand, it is possible that the domain validation was performed >> but that it was deceived through the use of DNS attacks. In his slides >> on the subject of DNS attacks, Dan Kaminsky did say that it was possible >> to deceive domain va

Re: Documenting default trusted CAs

Wan-Teh Chang wrote, On 2008-08-19 10:24: > On Tue, Aug 19, 2008 at 9:23 AM, Dennis Darch <[EMAIL PROTECTED]> wrote: >> In the next update of our software product we are using NSS 3.11.9 to >> upgrade our LDAP client to support LDAP/SSL. I would like to include in our >> documentation a list of th

Re: Documenting default trusted CAs

Dennis Darch wrote, On 2008-08-19 09:23: > In the next update of our software product we are using NSS 3.11.9 to > upgrade our LDAP client to support LDAP/SSL. I would like to include in our > documentation a list of the public certificate authorities that would be > trusted without having to b

Re: Questions on NSS_Shutdown () and Firefox crash

Kyle Hamilton wrote, On 2008-08-18 15:20: > A library is a 'client'. You could replace Howard's use of 'user' > with 'client' and get more understanding. Oh, I quite understand that his model has keys and certs that belong to libraries, not to users. Of course, when a library brings access to th

Re: Questions on NSS_Shutdown () and Firefox crash

Howard Chu wrote, On 2008-08-17 22:21: > Nelson B Bolyard wrote: >> Previously, someone criticized NSS, saying that it was designed for use >> only on single-user systems, a criticism that I dispute. NSS is very much >> oriented toward each user have his own set of trusted f

Re: Questions on NSS_Shutdown () and Firefox crash

Daniel Stenberg wrote, On 2008-08-18 14:07: > On Sun, 17 Aug 2008, Kyle Hamilton wrote: > >> OpenSSL does not have a root-certificate program. The official >> position (from http://www.openssl.org/support/faq.html#USER16) is that >> the job of OpenSSL is to create the code to make trust possible,

Re: Questions on NSS_Shutdown () and Firefox crash

Howard Chu wrote, On 2008-08-16 17:03: > Nelson B Bolyard wrote: >> Wan-Teh Chang wrote, On 2008-08-15 19:36: >>> 3. Change NSS_Init so that instead of doing nothing >>> when NSS is already initialized: >>> >>> http://mxr.mozilla.org/security/sour

Re: Questions on NSS_Shutdown () and Firefox crash

Daniel Stenberg wrote, On 2008-08-16 13:03: > curl is completely independent from browsers, and when installed in > systems it usually uses the system-wide CA cert bundle. Of course it has > command line options to allow the user to specify what CA bundle to use > (or indeed other certs etc). Da

Re: Questions on NSS_Shutdown () and Firefox crash

Wan-Teh Chang wrote, On 2008-08-15 19:36: > We ran into a similar problem with PKCS #11 modules that > NSS and some other libraries share. When one of the libraries > calls C_Finalize on the shared PKCS #11 module, it prevents > the other libraries from using the PKCS #11 module. > > Some possibl

Re: Questions on NSS_Shutdown () and Firefox crash

Ruchi Lohani wrote, On 2008-08-15 16:35: > Hi, > I have been using NSS for quite some time now. If using NSS and cURL > (built with NSS) simultaneously in the application running on browser, > it is going to be a problem. As, while curl_global_cleanup (), it calls > NSS_Shtdown internally and is t

Re: Error adding certificate to NSS database

Yevgeniy Gubenko wrote, On 2008-08-07 09:09: > Hi, > I use NSS3.11.4 with NSPR 4.6.4 (for fips compliant usage). > Here are the steps I perform to add new certificate to NSS db: [snip] > After last command I get an error: "certutil: could not add certificate > to token or database: Error adding c

Re: UTN-USERFirst-Object - "Can't verify signature

bmo wrote, On 2008-08-11 20:22: > Summary: I suspect that there's something wrong with the BUILT-IN Root > CA cert UTN-USERFirst-Object in Firefox 3.0.1. Or perhaps something is wrong with the code that tells you about that cert. > We were issued a code signing certificate which was signed by the

Re: Comparison of OpenSSL and NSS

Howard Chu wrote, On 2008-08-11 20:07: > Nelson B Bolyard wrote: >> Howard Chu wrote, On 2008-08-10 14:13: > >>> It would make it impossible to use in e.g. OpenLDAP/nss_ldap because >>> applications would be unable to load their own configuration settings

Re: Comparison of OpenSSL and NSS

Howard Chu wrote, On 2008-08-10 14:13: > The issue isn't about a specific file format, it's about overall > usability. Ignoring the issue of hiding things in a fragile DB the > problem is that it's a one-shot monolithic configuration. A process may > only call NSS_Init once, and provides a singl

Re: Comparison of OpenSSL and NSS

Howard Chu wrote, On 2008-08-10 03:30: >> Nelson B Bolyard wrote: >>> Someone could write a PKCS#11 module that uses PEM files as its storage. >>> It wouldn't be FIPS validated, at least not initially. > > In that case, there's even less motivation

Re: Mozilla NSS & PKCS#8 query

Subrata Mazumdar wrote, On 2008-08-07 05:34: Subrata, I apologize for not responding sooner. > Is it possible to import the PKCS#8 file for private key together with > the related X.509 cert file using PK11_ImportEncryptedPrivateKeyInfo()? Yes, it should be possible. > I have tried and was n

Re: Ciphersuite Ordering (was Re: Firefox and ECC TLS ciphersuites)

mozilla wrote, On 2008-08-08 12:31: > Some have groused that the ordering of cipher suites has an bias against > FIPS. For example, Camelia and RC4 seem to be prefered over AES. Is the > rationale for the ordering documented or explained somewhere? My guess is > that speed was a consideration.

Re: programatically import a certificate into firefox

[EMAIL PROTECTED] wrote, On 2008-08-08 05:49: > I would like to have certificate automatically imported into the > browser even before the user first login so that he do not get the > prompt. This need is for a prticular use-case where the user is on the > same host that the web server and used a

Re: creating DH server certificates with NSS

Peter Djalaliev wrote, On 2008-08-07 09:26: > My company develops an in-line network device that possibly resigns > certificates of SSL connections with an internal CA. Oh, a MITM! :-) Is there a web page where we can read more about that product? > Currently, we do > not handle the regular

Re: Error adding certificate to NSS database

Yevgeniy Gubenko wrote, On 2008-08-07 09:09: > I use NSS3.11.4 with NSPR 4.6.4 (for fips compliant usage). > Here are the steps I perform to add new certificate to NSS db: > Phase 1 - Create a CA Certificate > > * CA: Create NSS DB for CA > o Create the folder: > mkdir /opt/nss/fipscadb/ >

Re: creating DH server certificates with NSS

Peter Djalaliev wrote, On 2008-08-07 07:30: > Do the NSS APIs allow creating a new Diffie-Hellman SSL server > certificate? Yes, I'm pretty sure they do, but I think we have no test programs that will do so easily. I don't recall that certutil supports the generation of certs with DH public ke

Re: Importing symmetric keys to NSS from Java code

Yevgeniy Gubenko wrote, On 2008-08-07 07:12: > Thanks a lot for your answer. > I still need some clarifications: > 1. If I understand you right, when I have to use a predefined persistent > key to do a crypto with it, there is no way, other than importing the key > into a PKCS#11 token as a token

Re: Where are the binaries for nss 3.12 and nspr 4.7.1?

Wan-Teh Chang wrote, On 2008-08-07 06:22: > On Tue, Aug 5, 2008 at 6:44 AM, dky <[EMAIL PROTECTED]> wrote: >> I am trying to build it on Windows and GNU/Linux. I am unable to make >> progress on Windows build as it needs nsinstall which is not ported to >> Windows. I have started writing a shell sc

Re: NSS documentation guidance request

Gordon.Young wrote, On 2008-08-05 19:45: > I need help finding a document(s) to help me understand cross > certification and path building/chaining in the NSS world. The document you want probably doesn't exist. :-( > we are doing signing something like this: > > *Private root*>subordinate is

Re: Importing symmetric keys to NSS from Java code

Yevgeniy Gubenko wrote, On 2008-08-06 05:10: > Hello, > > I have some predefined key to use it by some symmetric algorithm > (AES/CBC/NoPadding for example) for encryption/decryption in Java 1.6 > code which works with NSS crypto in fips mode through PKCS#11 bridge. > > The questions are: > > 1.

Re: Creating detached PKCS#7 signature with cmsutil

Michael Ströder wrote, On 2008-08-06 04:07: > Nelson B Bolyard wrote: >>> cmsutil -D -d ~/.mozilla/xxx/ -c name.tar.gz -i name.tar.gz.p7m -o test >> I remember running into this long ago. As I recall, the pass/fail result >> is very subtle. It may be nothing more t

Re: Creating detached PKCS#7 signature with cmsutil

Michael Ströder wrote, On 2008-08-05 15:44: > Michael Ströder wrote: >> I also tried signver but this hangs: >> >> signver -V -v -d ~/.mozilla/xxx/ -i name.tar.gz -s name.tar.gz.p7m >> >> strace output of hanging signver: >> >> - snip - >> open("n

Re: Creating detached PKCS#7 signature with cmsutil

Michael Ströder wrote, On 2008-08-05 06:09: > HI! > > I'd like to generate and verify a detached signature (in a separate > file) with a key from my Seamonkey profile. Is this approach with > cmsutil ok (single command-line wrapped here)? > > cmsutil -S -d ~/.mozilla/xxx/ -N "cert nickname"

Re: build nss

I wrote, On 2008-08-05 14:03 PDT: > You'll find some somewhat dated build instructions at > > > If you ignore the part about checking out with certain CVS tags (since > you already have the sources), the instructi

Re: build nss

brian wrote, On 2008-08-05 12:33 PDT: > I downloaded nss-3.12-with-nspr-4.7.tar.gz and now I am wondering how > to build it. I am working on an Ubuntu system with most developer > tools installed. Is there a configure script somewhere, or do I need > to do something different? You'll find some som

Re: Where are the binaries for nss 3.12 and nspr 4.7.1?

dky wrote, On 2008-08-05 06:44: > On Jun 24, 11:03 pm, Glen Beasley <[EMAIL PROTECTED]> wrote: >> hi, >> >> cannot you not just build thebinariesyourself? >> >> http://www.mozilla.org/projects/security/pki/nss/nss-3.12/nss-3.12-re... >> http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/ns

Re: Where are the binaries for nss 3.12 and nspr 4.7.1?

I wrote: > Find nsinstall.exe in > > It's the only file you should need from that distribution. Better yet, get it from

Re: Problem with Content-type:application/x-x509-user-cert

[EMAIL PROTECTED] wrote, On 2008-08-04 23:23: > I found this mime type(Content-type:application/x-x509-user-cert) is > used for firefox 1.5. > It just not have popup windows for notification. Is there any version of Firefox where it DOES have a dialog? > The user certificate can be imported into

Re: Question about importing PKCS#7 chain

Jamie wrote, On 2008-08-04 12:12: > I am attempting to allow users to import a PKCS#7 certificate chain into > their browser, but I see in the Mozilla developer docs that the certificates > in the PKCS#7 file must be ordered in a specific way (user certificate first > with the CA chain following

Re: RSA OAEP encryption support in NSS

David Allan wrote, On 2008-08-02 09:12: > Hi all, > > I would like to port the client side of a client-server application from > OpenSSL to NSS, but I've hit a snag: > > The client creates a symmetric key, encrypts it with the server's public > key and transmits it to the server. The server, o

Re: PKCS12 Certificates and Private Keys

joshuaaa wrote: > Now that I understand the process of how the nicknames work, I wonder > if I'm missing a step in my code. The importPKCS12File() function for > the XPCOM interface i'm using does not take any argument for a > nickname. Neither do the other import certificate functions... what > g

Re: enabling crypto hardware for NSS

David Sadler wrote: > We have made some progress but still having problems. > > This is what we have tried ... on SLES 10 SP1 , Suse Linux, IBM zSeries > hardware. > > on the NSS side we created a certificate DB with certutil > then added openCrypto to the DB with NSS modutil > # modutil -dbd

Re: PKCS12 Certificates and Private Keys

joshuaaa wrote: > However, I have not succeeded yet in importing a p12 file. When I do a > CertDB.ImportPKCS12File(null, cert_file); > it runs fine, asks for the password, I enter the password, and then I > get an alert that reads "Failed to restore the PKCS #12 file for > unknown reasons". . Th

Re: PKCS12 Certificates and Private Keys

joshuaaa wrote, On 2008-07-31 06:46: > If I understand correctly, to import a certificate from a .p12 file, > you first have to store the private key on the internal key storage > token before you can import the certificate. Is this correct? No. A PKCS#12 file contains (or should contain) both a

Re: Problem with Content-type:application/x-x509-user-cert

[EMAIL PROTECTED] wrote: > I checked other tabs but got nothing. > I found firefox 2.x and 3.0 can work but version 1.5 can not. > Is there any difference of key db between firefox 3.0(2.x) and firefox > 1.5? I don't remember that far back too well. I'm sure there are many differences in the bro

Re: Problem with Content-type:application/x-x509-user-cert

[EMAIL PROTECTED] wrote: > But when the browser doesn't have the private key, it should popup a > window said "The personal certificate can't be installed because you > do not own the corresponding private key which was created when the > certificate was requested." I agree. > There is no any ac

Re: Problem with Content-type:application/x-x509-user-cert

Nelson B Bolyard wrote: > [EMAIL PROTECTED] wrote: > >> I am a CA manager and I am trying to use Content-type:application/x- >> x509-user-cert to support user importing certificate into firefox. >> I now can import certificate on windows successfully but it does not

Re: Problem with Content-type:application/x-x509-user-cert

[EMAIL PROTECTED] wrote: > I am a CA manager and I am trying to use Content-type:application/x- > x509-user-cert to support user importing certificate into firefox. > I now can import certificate on windows successfully but it does not > work on linux machine. > Could anyone give me suggestion abo

Re: Comparison of OpenSSL and NSS

Rainer Gerhards wrote, On 2008-07-29 03:41 PDT: > I am stepping in as a TLS-newbe who a few weeks ago selected to start > a project with GnuTLS over NSS because there is very little > *documentation* inside NSS that tells how to get started on a simple > system that does not involve in-depth knowl

Re: Question about JSS FIPS compliance

Wan-Teh Chang wrote, On 2008-07-29 09:51: > NSS treats its own software crypto module (softoken) as a > PKCS #11 module. ... because it IS a PKCS#11 module. :) > NSS calls the functions of a PKCS #11 > module through function pointers. Here is an example: > http://mxr.mozilla.org/security/sour

Re: Use PEM formatted certs (was Re: Comparison of OpenSSL and NSS)

Wan-Teh Chang wrote, On 2008-07-28 18:20: > On Mon, Jul 28, 2008 at 5:44 PM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: >> NSS's own PKCS#11 module claims to be 2.10 (don't know why, because it >> has many features from 2.20). > > I believe we claim to b

Re: Comparison of OpenSSL and NSS

Joe Orton wrote, On 2008-07-28 16:09: > On Sat, Jul 26, 2008 at 05:17:56PM -0700, Nelson Bolyard wrote: >> Daniel Stenberg wrote, On 2008-07-26 13:45: >> >>> As a user of OpenSSL, NSS, yassl and GnuTLS I can certainly agree that >>> GnuTLS has flaws in its API but NSS most certainly also has flaws

Re: Use PEM formatted certs (was Re: Comparison of OpenSSL and NSS)

Kyle Hamilton wrote, On 2008-07-28 17:23: > This is, honestly, a matter of "NSS's implementors decided to force > administrators and users to jump through hoops." There may be > legitimate policy concerns with certain policies that require > everything to be inside the database that NSS uses. Not

Re: Use PEM formatted certs (was Re: Comparison of OpenSSL and NSS)

Daniel Stenberg wrote, On 2008-07-28 13:48: > On Mon, 28 Jul 2008, Nelson B Bolyard wrote: > >> NSS is quite capable of importing certificates in "PEM" format. > > Importing them where? If I want to use NSS for the TLS layer and I have > the ca cert in a PEM form

Re: Question about JSS FIPS compliance

Dean wrote, On 2008-07-28 13:50: > If an application wants to claim FIPS compliance does it have to be > implemented following all the guidelines set out in the FIPS certified > applications Security Policy document? > > Specifically I suppose I'm trying to confirm that JSS is a FIPS > compliant l

Re: Comparison of OpenSSL and NSS

Daniel Stenberg wrote, On 2008-07-28 09:12: > On Sat, 26 Jul 2008, Nelson Bolyard wrote: > >>> As a user of OpenSSL, NSS, yassl and GnuTLS I can certainly agree that >>> GnuTLS has flaws in its API but NSS most certainly also has flaws as well >>> _and_ notable missing features that GnuTLS offer

Re: Firefox and ECC TLS ciphersuites

Wan-Teh Chang wrote, On 2008-07-25 15:07: > On Fri, Jul 25, 2008 at 2:49 PM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: >> I suspect that it MAY be the case that there are other copies of NSS on >> your system(s), and that those other copies are being used instead of &g

Re: Firefox and ECC TLS ciphersuites

William Price wrote, on 2008-07-24 20:36: > [bp] I have built a version of NSS that supports ECC and it appears to be > working well. Glad to hear that. How did you test it? If you substituted your own build for the build that came with FF3, and found that it worked in FF3 and enabled ECC, that

Re: Firefox and ECC TLS ciphersuites

Wan-Teh Chang wrote, On 2008-07-25 12:03: > On Fri, Jul 25, 2008 at 6:59 AM, mozilla <[EMAIL PROTECTED]> wrote: >> I expected FF3.0.1 to do TLS with the specific ECC ciphersuite that you >> identify. However, my FF3 is not offering the ECC suites in its client >> hello. I downloaded FF3.0.1 from th

Re: Cert MIME types

Michael Ströder wrote, On 2008-07-25 06:13: > Nelson B Bolyard wrote: >> I suggest you look at >> http://developer.mozilla.org/en/docs/NSS_Certificate_Download_Specification >> for ideas on importing certs. > > I wonder why Mozilla doesn't support application/pkix-

Re: Comparison of OpenSSL and NSS

Daniel Stenberg wrote, On 2008-07-23 14:43: > On Wed, 23 Jul 2008, Ruchi Lohani wrote: > >> Since a lot of open source softwares are using NSS, I wish to know whether >> we have some documentation on specifics of >> >> OpenSSL and NSS and the advantages NSS has over OpenSSL. If so, can anybody >

Re: adding and removing certificate while FF3 is running?

joshuaaa wrote, On 2008-07-24 06:56: > This is part of a project to increase security here at work. To be > honest, I'm not completely sure of all the details. I've just been > asked to add/remove user certificates while the browser is running. User certificates? Certificates for which the user

Re: Firefox and ECC TLS ciphersuites

Bill Price wrote, On 2008-07-24 15:17 PDT: > I'm trying to do TLS using an ECC ciphersuite. I thought FF3 natively > supported it (ECC ciphersuites are enabled in about:config). Using normal > downloads of FF3 on either Linux or Windows I'm getting the error that > there's no common ciphersuite.

Re: Firefox and ECC TLS ciphersuites

Bill Price wrote, On 2008-07-24 15:17: > I'm trying to do TLS using an ECC ciphersuite. I thought FF3 natively > supported it (ECC ciphersuites are enabled in about:config). Using normal > downloads of FF3 on either Linux or Windows I'm getting the error that > there's no common ciphersuite. Lo

Re: question about ECC

ZhanLeo wrote, on 2008-07-24 07:45 PDT: > I'm building Firefox 2, and I find it support ECC. I gather that this project has begun relatively recently, and so I wonder why you're building Firefox 2 instead of Firefox 3. > Could I only limit the ECC key lengths to 128bits Such a change could be

Re: adding and removing certificate while FF3 is running?

Jean-Marc Desperrier wrote, On 2008-07-24 05:52: > Nelson B Bolyard wrote: >> [...] >> For applications like FF3 that use NSS 3.12, which type of DB is used is >> under the control of the application. FF3 does not make use of the SQLite3 >> DBs (even though that capabil

Re: question about certificate chain from https://suppliers.intel.com

Jean-Marc Desperrier wrote, On 2008-07-24 05:37: > For exemple about the shareable database, your response late in February > about that was that there was still a lot left to do for it, In NSS, yes. That work was completed, as planned. > and that you didn't see the point unless both Fx and

Re: question about certificate chain from https://suppliers.intel.com

Eddy Nigg wrote, On 2008-07-24 01:15: > Nelson B Bolyard: >> I believe that, within the Mozilla developer community, there is a widely >> held misconception that NSS=PSM and the NSS team is the PSM team. But >> that's really not correct. Most of the NSS developers

Re: adding and removing certificate while FF3 is running?

joshuaaa wrote, On 2008-07-23 20:30: > Sorry for the confusion. It would be greatly appreciated if anyone can > shed some light on this subject. I've spent plenty of hours > researching and haven't come up with anything promising. > > Anyone know if this can be accomplished through an extension?

Re: Decline in firefox usage due to lacking CA certificates

Thorsten Becker wrote, On 2008-07-23 03:38: > One problem I have with the current implementation > is: A user gets a big warning about an unknown and untrusted > certificate. In the next step, he can add an exception. That process is > a bit difficult. And it should be difficult. I totally agr

Re: question about certificate chain from https://suppliers.intel.com

Eddy Nigg wrote, On 2008-07-23 14:30: > Nelson B Bolyard: >> Note that, when it sends the http get request to fetch the cert, it has >> not yet validated the cert from which it got the http URL, so it doesn't >> know if that URL is legitimate or from some hacker. It b

Re: enabling crypto hardware for NSS

David Sadler wrote, On 2008-07-23 08:12: > > Is this IBM linux? Red Hat Linux? or ? > (I ask because I know that Red Hat Linux supports mod_nss in Apache, but > I was not aware that it was also being used in any IBM Linux. That would > be good to know.) > > I am using SUSE 10 Linux, with Red

Re: adding and removing certificate while FF3 is running?

joshuaaa wrote, On 2008-07-23 14:38: > On Jul 23, 4:20 pm, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: >> joshuaaa wrote, On 2008-07-22 23:56: >> >>> I was under the impression (read somewhere here) that firefox 3 would >>> allow the cert database to be

Re: adding and removing certificate while FF3 is running?

joshuaaa wrote, On 2008-07-22 23:56: > I was under the impression (read somewhere here) that firefox 3 would > allow the cert database to be updated WHILE firefox was running. I'm > getting the same old behavior in FF3. ie. remove cert while firefox is > open, view cert manager and the cert still

Re: question about certificate chain from https://suppliers.intel.com

Eddy Nigg wrote, On 2008-07-23 08:26: > IE fetches CA certificates on its own if a service URL of the CA issues > is present in the parent certificate, but NSS doesn't for now. Rather, Firefox 3 does not use the facility of NSS that is capable of fetching certs in that fashion. NSS 3.12 has lo

Re: question about certificate chain from https://suppliers.intel.com

Eddy Nigg wrote, On 2008-07-23 09:26: > Well, the RFC requires the server to send any chained CA certificate up > to the CA root. The server doesn't have to send the root CA certificate > itself however. Correct. The TLS RFC requires that the server sends the chain. The fact that it is now po

Re: Failed to toggle FIPS mode with JSS

Dean wrote, On 2008-07-23 09:08: > Thanks for the answers Wan-Teh and Nelson ... and I do agree with both > of you that the work around would be an abuse of FIPs and I shouldn't > do it if I hope to claim FIPs compliance. > > I'm clearly missing a piece of the puzzle. > > Essentially I have an

Re: enabling crypto hardware for NSS

I wrote: > I found the bug that is responsible for the fact that no error message > is displayed, and we could fix it, I filed bug 447563 about this. https://bugzilla.mozilla.org/show_bug.cgi?id=447563 Pleas feel free to add yourself to the CC list of that bug if you're interested in updates. _

Re: Firefox crash issue

Ruchi Lohani wrote, On 2008-07-21 13:22: > Since the last comment in the Ubuntu bug thread > https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/108929 by > Alexander Sack says that "should be fixed by one of the nss updates we > released" so wanted to know whether there was already a Bug for t

Re: Including FNMT cert in Firefox 3 (Spanish government)

Eddy Nigg wrote, On 2008-07-20 16:30: > Eddy Nigg: >> OK, hereby Frank has seen your request to add the details of FNMT to the >> pending page and I guess that he'll gladly will do so soon. >> > > After having time to actually visit the bug entry I believe that FNMT > isn't ready yet for prime t

Re: Including FNMT cert in Firefox 3 (Spanish government)

Nukeador wrote, On 2008-07-20 10:05: > Is there a site with the pending requests queue?

Re: Comodo ECC CA inclusion/EV request

Nelson B Bolyard wrote: > > Frank Hecker wrote, On 2008-07-18 15:18: >> Paul Hoffman wrote: >>> At 9:27 AM -0400 7/18/08, Frank Hecker wrote: >>>> Paul Hoffman wrote: >>>> > Has anyone validated the ECC paramters they used? >>>> &g

Re: ssh/sftp with nss/nspr?

Matt Lawson wrote, On 2008-07-18 15:20: > I am considering retro-fitting an existing application with the NSS/NSPR > libraries, however I also need ssh and sftp capability. I cannot find > anywhere a discussion of these in relationship to NSS. > > Is there an existing way to do this? Or do I h

Re: Comodo ECC CA inclusion/EV request

Paul Hoffman wrote, On 2008-07-18 20:00: >> 2. Import that root CA cert. > > restart FF (at least 3)... should not be necessary. Might be necessary to see the cert in the UI, due to possible UI issues, but is not required in NSS. >> I hope you trust the ECC implementation in NSS. > > I

Re: Comodo ECC CA inclusion/EV request

Frank Hecker wrote, On 2008-07-18 15:18: > Paul Hoffman wrote: >> At 9:27 AM -0400 7/18/08, Frank Hecker wrote: >>> Paul Hoffman wrote: >>> > Has anyone validated the ECC paramters they used? >>> >>> Not that I'm aware. >> I think that's unfortunate. It is easy for all of us to test the >> param

Re: Firefox 3; CAs; Slashdot; guess what happens next

Paul Hoffman wrote, On 2008-07-18 16:16: > It's gratifying to see the numbers of people who do understand PKI and are refuting the usual ignorant nonsense. It appears to me that the percentage of replies from people who "get it" is higher

Re: Public comment periods

I'm not clear on the separate purposes of the two comment periods. Is there a statement somewhere, of what their separate purposes are? What (if anything) are the would-be public participants supposed to do differently in one period than in the other? What is the event (other than the passage of

Re: A general question about libnss3

Ruchi Lohani wrote, On 2008-07-18 11:06: > It gives the version as NSS 3.12.0.2. > > The problem I am facing is when I build my program on ubuntu linking to > nss and nspr it works fine on Ubuntu but when I try to use the same > library built on Ubuntu on Suse its unable to resolve the symbols an

Re: 3rd party ECC module + NSS integration

David Stutzman wrote: > Nelson, > > Thanks for the info, I tried to list out the tags from the repository > which didn't go so well so I just grabbed the HEAD for everything and it > ended up working just fine for me, both on the command line and for > Dogtag. The Dogtag devs and I have updated

Re: 3rd party ECC module + NSS integration

David Stutzman wrote, On 2008-07-16 07:14: > I'm using NSS 3.11.4 according to the Dogtag instructions. OK. I don't work on, or with, dogtag, so I don't know what version(s) of NSS it uses or recommends. Dogtag is just another one of the many products that use NSS that are relatively unknown t

Re: enabling crypto hardware for NSS

David Sadler wrote, On 2008-07-15 09:24: > > I am trying to setup Apache2, I have enable NSS and software encryption > is working. > I looked at the doc on modutil but when I tried what I thought might > work I got this error. > webserver1:/etc/apache2 # modutil -dbdir /etc/apache2/SampleCertDBs/

Re: 3rd party ECC module + NSS integration

David Sadler wrote, On 2008-07-15 12:49: > > I have installed > mozilla-nss-3.11-21.9.s390x.rpm > mozilla-nss-debuginfo-3.11-21.9.s390x.rpm > mozilla-nss-devel-3.11-21.9.s390x.rpm > mozilla-nss-tools-3.11-21.9.s390x.rpm > apache2-prefork-2.2.3-16.9 > and a "mod_nss-1.0.7" from cvs.fedora.redhat.c

Re: 3rd party ECC module + NSS integration

David, You seem to be describing at least two separate issues here. You didn't mention which NSS release you are testing. If you're using any NSS release other than 3.12, perhaps you are encountering https://bugzilla.mozilla.org/show_bug.cgi?id=443045

Re: enabling crypto hardware for NSS

David Sadler wrote, On 2008-07-14 07:08: > > I am trying to find a reference on how to configure NSS to support a > crypto hardware device. > > For openSSL I added "SSLCryptoDevice ibmca" to the httpd.conf file. This > enabled the ibmca engine in SSL. > > What is the counter way to enable a cry

Re: GlobalSign requests (replacement root, EV)

Eddy Nigg wrote, On 2008-07-13 22:09: > Nelson B Bolyard: >> Eddy Nigg wrote, On 2008-07-13 13:53: >> >>> This is perhaps the first EV request which doesn't have an operating >>> OCSP responder at this stage. The EV guidelines requires it only in 2010 >&g

Re: GlobalSign requests (replacement root, EV)

Eddy Nigg wrote, On 2008-07-13 13:53: > This is perhaps the first EV request which doesn't have an operating > OCSP responder at this stage. The EV guidelines requires it only in 2010 > however I haven't come across a CA which doesn't provide this service > *and* issues EV. Actually, there ar

Re: How to export un-encrypted private key using NSS API for OpenSSL base apps

Subrata Mazumdar wrote, On 2008-07-12 13:34: > I have created a self-signed cert using certutil. I want to export the > associated private key in Mozilla Cert/Key DB as an un-encrypted private > key to be used by an OpenSSL based App. > The requirement is to use Mozilla NSS API to export the ke

Re: problem using the method importUsertCertificates

Jero wrote, On 2008-07-09 07:22: > I know that you can do do that changing the contentType in a servlet to > "application/x-x509-user-cert" but I want to install more than one user > certificate (if you send a pkcs7 with several user certificates only the > first one is installed). That might

<    3   4   5   6   7   8   9   10   11   12   >