Re: How to access certs in the Windows keystore from Java?

On Wed, Oct 7, 2015 at 7:45 PM, wrote: > Maybe my googling skills are weak, but I found no information on how to > get NSS to use keys from the Windows keystore. In the end, I decided it's > probably a violation of the NSS paradigm anyway. It seems the intent is to >

Re: How to access certs in the Windows keystore from Java?

Hi Merlin Google is full of references and examples if you look for something like "java NSS" Anyhow, to use a certificate stores on Windows Keystore you have to use MSCAPI provider ("How to java mscapi") If you want to use a certificate stored on NSS (Firefox/Thunderbird) or a pkcs#11 token,

Re: Prevent "proxyfying" PKCS#11

Julien: you and me have "at the end" the same problem. Java Web applets are passing away and we are looking for alternatives. If you are just talking about "scanning", there 3 options AFAIK to do that: - From web invoke 127.0.0.1:port application(service) which listens on port X and do all the

Re: [Opensc-devel] Prevent "proxyfying" PKCS#11

On Fri, Sep 25, 2015 at 3:47 PM, Ludovic Rousseau < ludovic.rouss...@gmail.com> wrote: > Hello, > > 2015-09-25 14:45 GMT+02:00 helpcrypto helpcrypto <helpcry...@gmail.com>: > > But we still have the issue with the data sent from server. eg: server > sent > &

Re: Prevent "proxyfying" PKCS#11

: > >> Le vendredi 25 septembre 2015 14:39:04 UTC+2, helpcrypto helpcrypto a >> écrit : >> >>> On Fri, Sep 25, 2015 at 11:52 AM, Erwann Abalea <eaba...@gmail.com> >>> wrote: >>> >> [...] >> >>> Although it won't solve

Prevent "proxyfying" PKCS#11

Hi all I hope you can find a solution for my problem, cause I can't. (And perhaps it's impossible) Based on my knowledge of PKCS#11 standard, the spec is exposed to a MITM attack that steals the PIN when an application invokes C_Login against a PK#11 library. While using CryptoAPI it's the

Re: Prevent "proxyfying" PKCS#11

On Fri, Sep 25, 2015 at 11:52 AM, Erwann Abalea <eaba...@gmail.com> wrote: > Bonjour, > > Le vendredi 25 septembre 2015 10:36:53 UTC+2, helpcrypto helpcrypto a > écrit : > > I hope you can find a solution for my problem, cause I can't. (And > perhaps > > it'

Re: [Opensc-devel] Prevent "proxyfying" PKCS#11

On Fri, Sep 25, 2015 at 11:21 AM, Dirk-Willem van Gulik < di...@webweaving.org> wrote: > On 25 Sep 2015, at 10:36, helpcrypto helpcrypto <helpcry...@gmail.com> > wrote: > > > I hope you can find a solution for my problem, cause I can't. (And > perhaps it's impossibl

Re: [Opensc-devel] Prevent "proxyfying" PKCS#11

On Fri, Sep 25, 2015 at 11:15 AM, Andreas Schwier < andreas.schwier...@cardcontact.de> wrote: > Hi, > > you mention a common problem with PIN authentication and smart cards: To > keep the PIN protected on the path between the PIN entry and chip must > be protected. > > There are two alternatives:

Root certificates bundled with Iceweasel/Firefox (Icecode/Thunderbird)?

Hi Iceweasel/Firefox 38 seem to bundle: - DigiCert Assured ID Root CA with serialnumber 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39 - TERENA SSL CA 3 with 08 70 BC C5 AF 3F DB 95 9A 91 CB 6A EE EF E4 65 None of them seem to appear on:

About 's future...

Hi all As previously raised on this list, there's a open wardiscussion about removing [1] Some people, like Sir Tim Berners-Lee doesn't seem to agree with that, hence another thread is taking place at [2] For Google, it seems the decision has been made, nothing is going to change, and could

Re: About 's future...

On Thu, Sep 17, 2015 at 8:59 PM, Rob Stradling wrote: > The existence of this bug... > > https://bugzilla.mozilla.org/show_bug.cgi?id=1191414 > "gather telemetry on usage of " > > ...would seem to suggest that Mozilla "haven't decided anything yet". > IMHO that's not a

Re: Remove Legacy TLS Ciphersuites from Initial Handshake by Default

ping? On Tue, Mar 17, 2015 at 5:15 PM, helpcrypto helpcrypto helpcry...@gmail.com wrote: If I understand correctly, dropping will be at browser level, ie: end users won't be capable of using their legacy certificates. So far, only SSL certificates 2048 were shown as unsafe in Chrome. Am I

Re: Remove Legacy TLS Ciphersuites from Initial Handshake by Default

If I understand correctly, dropping will be at browser level, ie: end users won't be capable of using their legacy certificates. So far, only SSL certificates 2048 were shown as unsafe in Chrome. Am I right? Chrome [1] plans dropping 1024 by the end of the year. Firefox [2] is goind to drop it

Forgotten keygen requests

Hi. Making some test this week I have made several keygen requests using Firefox. AFAIK, each keygen stores a (persistent) keypair which will be used to issue new certificates later. I assume this keys are stored on key3.db Is there any mechanisms to list how many keypairs are present on my

Re: Build error for NSS 3.17.4 (Windows 7)--needs to be addressed in NSPR

On Mon, Feb 2, 2015 at 1:17 PM, Kai Engert k...@kuix.de wrote: exported: OS_TARGET=WINNT Please use OS_TARGET=WIN95 That's the newer and supported configuration. LOL hahahahahahahahahahahahahahaha I love you kaie ;) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org

Re: Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2

IIUC what Bob/Christina said, it's not possible yet. Personally, i have no idea :P On Thu, Jan 15, 2015 at 9:37 PM, deepr...@gmail.com wrote: Ahh, ok fine. But are you able to tell me if it's possible to create TLS 1.1 and 1.2 sockets with JSS. Thanks a bunch. -- dev-tech-crypto mailing

Re: Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2

On Thu, Jan 15, 2015 at 2:55 PM, deepreel deepr...@gmail.com wrote: helpcrypto: Thank you great code samples...but...I'm stuck with using JSS and the org.mozilla.jss.ssl hierarchy. Your snippits are using either JSSE or apache libraries no? Unless I'm missing something obvious.

Re: Accessing Firefox keystore

Didn't, just telling you what's in there. I just need/use personal, hence softokn is enough for me. On Wed, Jan 14, 2015 at 11:58 PM, Opa114 opa...@gmail.com wrote: - People (personal without related private key) -- how did you get this? -- dev-tech-crypto mailing list

Re: Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2

these methods to control protocols. Sincerely On Tuesday, 13 January 2015 13:14:05 UTC-5, helpcrypto helpcrypto wrote: On Mon, Jan 12, 2015 at 11:10 PM, deepr...@gmail.com wrote: Folks, Sorry for the totally newbie question but I've hunted high and low. I am supporting some Java

Re: Accessing Firefox keystore

Hi Matthias As stated in [1] you should use nssModule=trustanchors I have tried: String config = name = NSS\r\n nssLibraryDirectory = + tmpDirName + \r\n nssSecmodDirectory = + profile.replace(\\, /) + \r\n nssDbMode = readOnly\r\n nssModule = trustanchors\r\n attributes =

Re: Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2

On Mon, Jan 12, 2015 at 11:10 PM, deepr...@gmail.com wrote: Folks, Sorry for the totally newbie question but I've hunted high and low. I am supporting some Java code that uses JSS4, NSS to provide SSL Server side services. In response to Poodle I've been looking this code and was able to

Re: Accessing Firefox keystore

Thats your mistake: Using softokn+slot=2 will access your personal/installed certificates, not CA/trusted ones. Perhaps slot 1 will do, but I have never tried. On Tue, Jan 13, 2015 at 5:19 PM, Opa114 opa...@gmail.com wrote: i mean the Server and CA not only own Certificates --

Re: Accessing Firefox keystore

On Tue, Jan 13, 2015 at 7:18 PM, Opa114 opa...@gmail.com wrote: Am Dienstag, 13. Januar 2015 19:04:28 UTC+1 schrieb helpcrypto helpcrypto: Thats your mistake: Using softokn+slot=2 will access your personal/installed certificates, not CA/trusted ones. Perhaps slot 1 will do, but I have

Re: Accessing Firefox keystore

: http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html There are a lot of resources on google too. Good luck ;) On Mon, Jan 12, 2015 at 7:58 PM, Opa114 opa...@gmail.com wrote: Am Montag, 12. Januar 2015 18:51:51 UTC+1 schrieb helpcrypto helpcrypto: This is the dependency

Re: Accessing Firefox keystore

On Tue, Jan 13, 2015 at 12:00 PM, Opa114 opa...@gmail.com wrote: thanks again. i have compared my code woth your peace of code you posted and i have the same. But i still get the Error: CKR_DEVICE_ERROR CKR_DEVICE_ERROR is an error on the cryptoki itself, as stated by PKCS#11 standard. I have

Re: Accessing Firefox keystore

This one is working: http://pastebin.com/qqPf4cvM Regards On Tue, Jan 13, 2015 at 12:29 PM, Opa114 opa...@gmail.com wrote: Am Dienstag, 13. Januar 2015 12:14:28 UTC+1 schrieb helpcrypto helpcrypto: On Tue, Jan 13, 2015 at 12:00 PM, Opa114 opa...@gmail.com wrote: thanks again. i have

Re: Accessing Firefox keystore

To sum up: It's a Java bug. Consider copying softkn and dependencies to %temp% It only accepts elemental characters ie: not '(', neither 'á'... On Mon, Jan 12, 2015 at 2:25 PM, Opa114 opa...@gmail.com wrote: hi again, yeah i googled the last days very much about this topic. so i found out

Re: Accessing Firefox keystore

In fact, to be more funny, JRE8 has another bug (IIRC on XP) where spaces ' ' aren't neither allowed! Regards. On Mon, Jan 12, 2015 at 2:34 PM, helpcrypto helpcrypto helpcry...@gmail.com wrote: To sum up: It's a Java bug. Consider copying softkn and dependencies to %temp% It only accepts

Re: Accessing Firefox keystore

Hi If you want to work with cert8, even from Java, consider using certutil (via running a command). If you want to sing with a locally-installed X509 (keys are stored on key3.db), I still consider using SunPKCS#11 for attacking softkn3 your best option. Regards On Sat, Jan 10, 2015 at 2:46

Re: Accessing Firefox keystore

This is the dependency lack ;) This is what I have, probably some have changed: String[] nssDeps = { //WARNING: Order MATTERS! System.mapLibraryName(msvcr100), System.mapLibraryName(msvcp100), System.mapLibraryName(mozglue),

Re: Accessing Firefox keystore

On Thu, Jan 8, 2015 at 11:19 PM, Robert Relyea rrel...@redhat.com wrote: On 12/11/2014 12:33 AM, helpcrypto helpcrypto wrote: Hi again, sorry for delay. Yes, you can (SHOULD) use SunPKCS#11 to access directly the libraries/modules. You can do it two ways: - attack libraries directly

Re: Accessing Firefox keystore

I'm parsing secmod.db, not cert8.db. If you plan to parse cert8.db I suggest you have a look on certutil source. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_certutil Regards On Fri, Jan 9, 2015 at 12:04 PM, Opa114 opa...@gmail.com wrote: could you give

Re: Accessing Firefox keystore

Hi again, sorry for delay. Yes, you can (SHOULD) use SunPKCS#11 to access directly the libraries/modules. You can do it two ways: - attack libraries directly - parse (legacy) secmod.db on Firefox profile to list modules/libraries. Have a look on

Re: Problems with Certificate Manager in Thunderbird using S/MIME

Haven't tested yet, but you could file a bug, altough I dont know if it will be accepted. If you have both accounts on your profile, you are the 2 people, hence there's no reason to send you a crypted message to yourself. I would accept the bug, but will give a 0.001 priority... A workaround

Re: NSS modutil: Adding PKCS#11 module with PIN to nssdb

For such a tricky thing, although I dont like it, you could use a proxy library, like PKCS11SPY which forwards every call to your library, but sends the PIN when needed / at first use if your token is present (to avoid locking other cards). If you need such behaviour, why just dont use NSS

Re: Request restoration of PK11_SetPublicKeyNickname and PK11_SetPrivateKeyNickname

IIRC, nicknames aren't part of PKCS#11 standard, so i would suggest instead using CKA_ID (hash of public key; certificate, public and private keys have the same) On Tue, Oct 7, 2014 at 9:15 AM, Sean Leonard dev+mozi...@seantek.com wrote: Hi Mozilla/Firefox crypto people: In Firefox 33 (and

Re: Request restoration of PK11_SetPublicKeyNickname and PK11_SetPrivateKeyNickname

. Then you could use C_G/SetAttributeValue with CKA_LABEL, isnt it? Sean On 10/7/2014 12:38 AM, helpcrypto helpcrypto wrote: IIRC, nicknames aren't part of PKCS#11 standard, so i would suggest instead using CKA_ID (hash of public key; certificate, public and private keys have the same

Re: Request restoration of PK11_SetPublicKeyNickname and PK11_SetPrivateKeyNickname

As NSS doesnt expose that function (IMHO it Should), couldnt you use PK11_Read/WriteRawAttribute? (Apart this should being fixed or not) On Tue, Oct 7, 2014 at 10:20 AM, helpcrypto helpcrypto helpcry...@gmail.com wrote: On Tue, Oct 7, 2014 at 10:02 AM, Sean Leonard dev+mozi...@seantek.com

Re: Java, Webcrypto, SmartCards and document signing (AGAIN)

Ping? On Fri, Jul 11, 2014 at 8:46 AM, helpcrypto helpcrypto helpcry...@gmail.com wrote: Hi all. Sorry for resurrecting zombies (again). And sorry if this has been answered already (Too much work confuse my mind). As I have said before, in our organization we use a Java Applet

Java, Webcrypto, SmartCards and document signing (AGAIN)

Hi all. Sorry for resurrecting zombies (again). And sorry if this has been answered already (Too much work confuse my mind). As I have said before, in our organization we use a Java Applet to discover and use smartcards (vía PKCS#11) to be able to do batch document signage on web pages with

Re: Intent to unimplement: proprietary window.crypto functions/properties

On Fri, Jun 27, 2014 at 6:32 PM, Brian Smith br...@briansmith.org wrote: Hi The issue is that the WebCrypto API uses a totally separate keystore from the X.509 client certificate keystore (if it doesn't, it should be), and the stuff that Red Hat does is about client certificates. AFAICT,

Re: Longterm crypto support

Probably im lost in the translation. Some of our users still have 1024 RSA certificates which they use for HTTPS client auth or signing documents. Are you suggesting to stop supporting/allowing this certificates? If yes, i supose you will change low level to 2048 on keygen, isnt it? On Sun,

Discussion about Bug 914690 - In Firefox 24 and following, mark all versions of Java as unsafe

*Hi all* Before starting, I'll to apologize for any incorrect grammar or typo I could do. I'm not a native and I'm trying my best. Altough I think most of us agree that *The era of Java Applets must end*, after asking a few questions to WebCrypto WG, seems they dont share this tought/they dont

Re: Discussion about Bug 914690 - In Firefox 24 and following, mark all versions of Java as unsafe

On Mon, Oct 28, 2013 at 2:03 PM, florian.ben...@quantumedia.de wrote: On Monday, October 28, 2013 1:50:42 PM UTC+1, helpcrypto helpcrypto wrote: Something similar to Webcrypto should work, but having user keys in mind. AFAIK, WebCrypto[1] is the replacement for the current window.crypto

Re: NSS+JSS in FIPS mode for Encryption and Decryption in java

On Mon, Aug 26, 2013 at 7:11 PM, raj raje...@gmail.com wrote: Hello helpcrypto, Thank you so much for your response. If we use the SunPKCS11, is NSS library the one doing encryption/decryption stuff?? No idea. Just use NSS to access installed certificates to sign using PKCS#11 interface.

Re: 64bit NSS build on windows 7 x64

I compiled nss+nspr+modutil+certutil 32 bits vs2009 last week. Didnt compile 64 bits cause Firefox 64 bits is no longer supported (IIRC). On Sat, Aug 24, 2013 at 2:21 PM, farhad@gmail.com wrote: I searched the net for 64bit build but didn't find anything, I don't have enough time to build

Re: Need to use the main NSS module as a PKCS#11 module in IBM Notes

+1! On Sun, Aug 25, 2013 at 3:02 AM, Kyle Hamilton aerow...@gmail.com wrote: Hi, I'm finding myself in a situation where I need to use the certificates and keys stored in my standard NSS profile in other applications. My initial, naïve idea was that NSS itself is a PKCS#11 module.

Re: NSS+JSS in FIPS mode for Encryption and Decryption in java

In the past we used JSS but at the end we have move to SunPKCS11 provider. Consider using it as stated in http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html#NSS My two cents. On Thu, Aug 22, 2013 at 9:12 PM, raj raje...@gmail.com wrote: Need help in doing the NSS+JSS

Recent modutil/certutil builds?

Hi. Does anyone in here have a recently compiled version of modutil, certutil and their dependencies, for windows platform? (better if both: 32 bits and 64 bits). Just to save time and head hitting against the wall... Thanks in advance! -- dev-tech-crypto mailing list

Re: Recent modutil/certutil builds?

nvm, already built. btw, is normal certutil -L -d path not to list/echo anything? On Thu, Aug 22, 2013 at 9:50 AM, helpcrypto helpcrypto helpcry...@gmail.com wrote: Hi. Does anyone in here have a recently compiled version of modutil, certutil and their dependencies, for windows platform

Re: Contribution

Hi Shivam. Look for a little bugs, like https://bugzilla.mozilla.org/show_bug.cgi?id=670895 and start to get use with NSS internals. Also, check https://developer.mozilla.org/en/docs/NSS And dont hesitate to ask ;) On Thu, Jul 18, 2013 at 9:37 AM, Shivam Agarwal

Re: Issues with strategy used by org.mozilla.jss.CryptoManager#findPrivKeyByCert to find matching Private Key

and tokens that are configured in the NSS DB and freely access all of it. On Fri, Apr 19, 2013 at 8:57 AM, helpcrypto helpcrypto helpcry...@gmail.com wrote: On Tue, Apr 16, 2013 at 7:27 PM, Jaime Hablutzel Egoavil hablutz...@gmail.com wrote: Are you talking about PKCS11 bridge

Re: certutil - Generate a new key.

On Tue, Apr 16, 2013 at 8:01 PM, Robert Relyea rrel...@redhat.com wrote: On 04/15/2013 02:34 PM, Matt Yakel wrote: Hi all, Is the certutil a linux tool only? I am needing to deploy Local Security Certs to our work network (windows). No, it can be built for pretty much any NSS supported

Re: Issues with strategy used by org.mozilla.jss.CryptoManager#findPrivKeyByCert to find matching Private Key

On Tue, Apr 16, 2013 at 7:27 PM, Jaime Hablutzel Egoavil hablutz...@gmail.com wrote: Are you talking about PKCS11 bridge for a standard PKCS#11 module?. I was thinking in accesing smartcards configured in NSS database, so I don't have to deal with the location of the dll module. I'm sorry I'm

Re: Issues with strategy used by org.mozilla.jss.CryptoManager#findPrivKeyByCert to find matching Private Key

of this functionality. Yes, we have smartcards and use them with Java. A little example: http://stackoverflow.com/a/8429162 Nice day! On Fri, Apr 12, 2013 at 4:54 AM, helpcrypto helpcrypto helpcry...@gmail.com wrote: On Thu, Apr 11, 2013 at 11:59 PM, Jaime Hablutzel Egoavil hablutz...@gmail.com wrote

Re: Removal of generateCRMFRequest

More generally, I would like to remove all the Mozilla-proprietary methods and properties from window.crypto; i.e. all the ones athttps://developer.mozilla.org/en-US/docs/JavaScript_crypto. Some of them are actually pretty problematic. Are there any worth keeping? signText() is used

Re: Removal of generateCRMFRequest

On Mon, Apr 8, 2013 at 12:10 PM, Anders Rundgren anders.rundg...@telia.com wrote: This seems to be out of scope: http://lists.w3.org/Archives/Public/public-webcrypto/2013Apr/0072.html Hi Anders. As it scopes signning: http://www.w3.org/TR/WebCryptoAPI/#Crypto-method-sign, I suppose you mean

Re: Batch Signatures. Was: Web Crypto API(s) and what Mozilla wants / needs

In my opinion this is a perfect application for server-based signatures. What's needed is an authorization signature where a responsible person attests that he/she have verified the correctness of the input data that I guess is presented in web format. The attestation would be stored in the

Re: Web Crypto API(s) and what Mozilla wants / needs

So, to sum up: Will it be possible, using Web-Crypto API, to sign using a Pkcs#11 key/cert? What about MSCAPI key/cert? Will it be possible, using Web-Crypto API, to sign in batch-mode? Thanks for answers! -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org

Re: Web Crypto API(s) and what Mozilla wants / needs

BTW, what is this? http://html5.creation.net/webcrypto-api/ -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Batch Signatures. Was: Web Crypto API(s) and what Mozilla wants / needs

When we have to generate signed copies for a lot of documents (eg: student course certificates), we use our applet the following way: - step 1: authenticate and retrieve certificate to use - setp 2 (n times): sign using selected certificate Of course, there are risks of signing undesired

Re: Web Crypto API(s) and what Mozilla wants / needs

I do understand the frustration you must feel in trying to get browsers to work closely with your national ID/Cert system. There are many such systems, and trying to create an API that works with your specific requirements, hardware and regulations is very difficult. The WG notes this by

Re: Web Crypto API(s) and what Mozilla wants / needs

The problem with this approach is that you expose keys to arbitrary javascript code which is rather different to for example TLS-client-certificate authentication which only exposes a high-level mechanism as well as a [reasonably] secure credential filtering scheme and user GUI. clear as

Re: Web Crypto API(s) and what Mozilla wants / needs

I think we all mean key handles instead of plaintext key material but the problem is the same - keys get exposed naked and can be (ab)used for whatever. I mean, apart from malicious sign operations, i dont see any risk on javascript seeing a key handle. Is there any? If the only risk are

Re: Web Crypto API(s) and what Mozilla wants / needs

ie: javascript invoke getKeyFromPKCS11(modulename) and #1 is returned, but can be used. How do you envision that this access should be controlled? Here imagine that you have dozens of keys, not just a single key in a smart card. The same way as SSL client authentication: with a dialog

Re: Web Crypto API(s) and what Mozilla wants / needs

Hi David. First: Thank you (all) for your hard work on this. Second: Sorry for any mistake, typo or pocahontas speak. IMHO we NEED this, and Mozilla NEED it also. In our case, we are currently using a Java applet to make digital signature of documents in many formats (XMLDsig, XAdES, PAdES...)

Re: Create a SelfSign Certificate in C++

https://www.google.com/search?q=c%2B%2B+create+self+signed+certificate On Sat, Feb 2, 2013 at 8:30 PM, James Burton james.burt...@btconnect.com wrote: Hello I want to create a selfsign certificate in c++ but i don't know were to start and i would like some help if you could make a example

Re: how to use mozzila root certs

On Thu, Jan 24, 2013 at 3:44 PM, marathi...@gmail.com wrote: Hello, I need to add/remove certificates in my NSS db from certdata.txt (obtained from http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt) I was partially able to parse using the go script (it

Re: Shared system database

Let me ask to make it clear: You are asking for: (paths are just for example purposes) a) To set up a $HOME/nss to store user certs + trusted by the user (actually more/less what already have). Doesnt Chrome use something like that already? b) To set up a /usr/nss to store system-wide certs and

Re: Building and running NSS for Android.

IMVVHO, Firefox/Mozilla should work like Chrome: using the keystore of each OS. ie: MSKeystore on Windows, Keychain on OSX and (a shared) NSS on Linux. Similar for Android or other systems. Probably (surely) this was discussed somewhere and some time ago, but maybe the time to change has come

Missing libmozsqlite3.so on Ubuntu 12.04 Firefox 13?

Probably i missed a know bug but: ldd /usr/lib/firefox/libsoftokn3.so shows libmozsqlite3.so = not found Can you confirm this? It is a bug, isnt it? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: To NSS-Java or not to NSS-Java, thats the question.

And what about applets without JSS, using Secmod [1] or the sunpkcs11 [2] provider? [1] http://www.docjar.com/docs/api/sun/security/pkcs11/Secmod.html [2] http://www.docjar.com/docs/api/sun/security/pkcs11/SunPKCS11.html Any comments? -- dev-tech-crypto mailing list

Re: Running NSS as a Service

+2! On Sat, Apr 28, 2012 at 8:13 PM, Robert Townley fossco...@gmail.com wrote: On Friday, February 17, 2012 11:07:47 AM UTC-6, Anders Rundgren wrote: After looking into several similar solutions including Gnome Keyring I wonder if it is not time for NSS transcending into a service rather than

Re: Feedback on DOMCryptInternalAPI

Supporting smart cards in the spec and first implementations is not a goal, however, I think a lot of the base work we are doing will help in a future iteration. For instance, I hope that this Gecko 'internal API' will help extension and browser developers to experiment with smartcards,

Re: Feedback on DOMCryptInternalAPI

If you want the signature + document to be legally sustainable and/or user-interpretable, then plaintext signatures with embedded public keys are the way to go.  You can base64-encode the public keys :)  Some further development of this theme is at

Re: Feedback on DOMCryptInternalAPI

for signWithUserConfirmation as I know, that requirement was raised because of regulations of some countries. it is UI specific function and need some fixed UI (already mentioned spanish DNIe) I think we need some control for that with CSS style the very important concept is the content

Re: To NSS-Java or not to NSS-Java, thats the question.

Helpcrypto, a possible *long-term* solution to this is that the requester indicates such preferences. So if the requester says external card (for example) the dialog would not need the user to select. If there is no card present, it would ask the user to insert a suitable card. This is at

Re: To NSS-Java or not to NSS-Java, thats the question.

After reading your three mails, i have only one thing to say: Clear as water. Thank a lot for your patience and effort on explaining this for short-minded like me. Thanks a lot, REALLY, for your long, detailed and clear answer. Of course, thanks a lot to Anders (which also suffered me) and

Re: To NSS-Java or not to NSS-Java, thats the question.

My scenario is a billion+ community who haven't a clue what a CSP is and never will.  They may not even know what a certificate is! A CSP-solution doesn't give the issuer any information about where and how a key was generated.  The same goes for NSS, JCE, and PKCS #11. Developer *can* know

Re: To NSS-Java or not to NSS-Java, thats the question.

(to me, that question makes no sense.  users can't talk to smart cards.  Only smart card readers and programs can.  So what smart card reader and what program is doing this?  A dumb smart card reader and a browser, following Javascript instructions from a website?  That'd be game over...) Why

Re: To NSS-Java or not to NSS-Java, thats the question.

I can see where this difficulty is, I've worked on smart cards and it is ... perverse.  I'll see if I can explain it.  As an aside I have no idea what the NSS people think, I'm not speaking for them, and they don't typically like what I say :)  Apologies out of the way, onwards! This sounds

Re: To NSS-Java or not to NSS-Java, thats the question.

My solution to this is to treat all PKI-using applications as complete applications running in trusted code.  W3C tries to do something different, we'll see how that pans out... Ok Anders, but you are -again- talking much about your protocol, not answering my question (or at least, i didnt get

Re: To NSS-Java or not to NSS-Java, thats the question.

Dear HelpCrypto, I'm not pushing my protocol.  I just don't think that web-pages should be able to directly address *any* device but the screen. If that were true, many things (like JSS) should dissapear from MDN. Dont missunderstand. Im not complainning you or your protocol. If you take

Re: To NSS-Java or not to NSS-Java, thats the question.

Although E2ES (End-to-End-Security with respect to the *container*) is actually my line of work (http://webpki.org/papers/keygen2/sks-api-arch.pdf), I don't understand why you would use it during signing or authentication. Yes, TLS-client-cert-authentication is also E2ES but it works one level

Re: To NSS-Java or not to NSS-Java, thats the question.

On Wed, Apr 18, 2012 at 10:03 AM, Anders Rundgren anders.rundg...@telia.com wrote: Dear helpcrypto, now it became a little bit messy because I'm talking about principles while you are talking about specific interfaces like NSS, and PKCS #11. Ok. Rather than discussing technical or theorical

Re: To NSS-Java or not to NSS-Java, thats the question.

I would not build a scheme based on NSS because NSS is not a prerequisite unless you force people to use Firefox. We arent forcing. We already support Microsoft, OSX and Google browsers, and (trying) Firefox too.  Hooking Mozilla/NSS into native APIs like CryptoAPI is a much more important

Re: To NSS-Java or not to NSS-Java, thats the question.

So, do you (we) ALL agree NSS should be modified to hook with system keystores like Windows or OSX? (Linux has no default system keystore, so there will be no changes by now) Maybe wtc has something to say against this... Are mozilla (we) going to see (wait) whats is said on:

Re: To NSS-Java or not to NSS-Java, thats the question.

It was for example suggested that PKCS #11 should be exposed as a JavaScript object.  I think that is downright ridiculous idea, almost as bad as: http://www.sconnect.com/FAQ/index.html Let me expose two user-cases where i think that will be helpfull (and maybe the only option). -Web page

Re: cert8.db rewrite reasons and exceptions?

On Mon, Apr 9, 2012 at 6:16 PM, Anders Rundgren anders.rundg...@telia.com wrote: On 2012-04-09 12:13, helpcrypto helpcrypto wrote: http://www.w3.org/2011/11/webcryptography-charter.html BSmith ans RRelyea directed me there also. All fishes go to sea... ;) The really big fishes (Google, Apple

Re: cert8.db rewrite reasons and exceptions?

So, IIUC, both of you consider using system/os/platform keystore (directly [or hooked]) the best option? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Recent builds of NSS on Windows?

The only way I recommend building NSS on Windows is with Microsoft Visual C++ and the mozilla-build package located at https://developer.mozilla.org/en/Windows_Build_Prerequisites#MozillaBuild_.2F_Pymake :( See https://bugzilla.mozilla.org/show_bug.cgi?id=570340 where there is a

Re: To NSS-Java or not to NSS-Java, thats the question.

Google Chrome is exposing NSS to Java/JSS on Mac OS X? I did not think that Chrome uses the NSS certificate database at all on Mac OS X. Google chrome use each OS specific keystore. On OSX its keychain, so theres no need of JSS. In Linux, and using shared nss db, it uses jss and works well.

Re: cert8.db rewrite reasons and exceptions?

IMHO it depends quite a bit on what your target audience is. Document signing on a web browser, its *always* done using a java applets. Tax payment, traffic bills, more taxes...in hour case, official documents signed by the ministry autorized people. -- dev-tech-crypto mailing list

Re: cert8.db rewrite reasons and exceptions?

http://www.w3.org/2011/11/webcryptography-charter.html BSmith ans RRelyea directed me there also. All fishes go to sea... ;) http://webpki.org/papers/wasp/wasp-tutorial.pdf http://webpki.org/papers/keygen2/sks-keygen2-exec-level-presentation.pdf I think i already read both documents some

Re: cert8.db rewrite reasons and exceptions?

IIRC, NSS doesnt have an official mantainer on Mozilla bugs, isnt it? If this happens, its probably the source of many problems here. I have filed a few bugs and most of then arent even checked. To be fair honest, im also guilty of that, but i dont feel confident enough to edit Mozilla source.

To NSS-Java or not to NSS-Java, thats the question.

Hi all [Opening my pandora...]. A few months ago we started having problems with NSS (and OSX): -Cannot load NSS libs from applet on Firefox 4 on MacOSX http://forums.mozillazine.org/viewtopic.php?f=38t=2165273 -Firefox 4 bad initialize on Mac OSX 10.6.7 This cause wrong java.library.path,

Re: cert8.db rewrite reasons and exceptions?

Thanks for the info. Countdown to sqlite... -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

NSS Secmod.db content ??? (maybe same for cert8.db/key3.kb)

Hello, this is a question for the NSPR/NSS guys. A few days ago, while having a problem parsing secmod.db contents we found: http://stackoverflow.com/questions/2873581/is-it-possible-to-access-a-bdb-from-pure-java and also: http://sethi.org/tmp/ssh/src/com/mindbright/bdb/DBHash.java

Re: Recent builds of NSS on Windows?

Hi brian ( CO) Today, a buggy old/legacy modutil.exe binary we are using, made me try building NSS using mingw. Once again. ... make[4]: /mingw/bin/windres: Command not found Ok...i must copy windres from another mingw and this seems solved. ... make[2]: Entering directory

  1   2   >