On Wed, Aug 6, 2008 at 1:11 PM, Eddy Nigg [EMAIL PROTECTED] wrote:
In other words, Comodo would issue multiple certificates for the very
same domain name? You could have multiple valid certificates for
www.mozilla.com?
Technically, there is absolutely nothing wrong with this. Multiple
IPs
Robin Alden wrote:
Sure, but CAs issue certificates to IP addresses too (as we discuss below)
yet the policy does not allow for the possibility. Either the policy is
imprecise, or it is being flouted by the CAs that issue certificates for IP
addresses.
You're correct, this is a gap in our
Frank Hecker wrote:
Frank Hecker wrote:
I am now opening the first public discussion period for a request from
Comodo to add the Comodo ECC Certification Authority root certificate
to Mozilla and enable it for EV use. This is bug 421946, and Kathleen
has produced an information document
Robin Alden:
I think an IP address is almost on the same level as a domain name, but
even here there can be problems. For example if you are willing to
validate dynamic assigned IP addresses, than this can be actively
exploited obviously. An assigned IP may belong to somebody else within a
Frank Hecker wrote:
Robin Alden wrote:
snip
Frank, would you consider these practices of issuing certificates to
hostnames* and also of issuing to non-internet routable IP addresses as
being something to add to your problematic practices list?
Yes, I'll do that.
Done:
Frank Hecker:
Yes, I'll do that. (Incidentally, I'm now calling it the potentially
problematic practices list, because there's a lack of consensus on the
extent to which some of these practices are problems in general.)
Frank, where is the lack of consensus exactly? Are you referring to bug
Eddy Nigg wrote:
Frank Hecker:
Yes, I'll do that. (Incidentally, I'm now calling it the potentially
problematic practices list, because there's a lack of consensus on the
extent to which some of these practices are problems in general.)
Frank, where is the lack of consensus exactly?
IIRC
-Original Message-
From: Eddy Nigg
Sent: Wednesday, August 06, 2008 9:12 PM
To: dev-tech-crypto@lists.mozilla.org
Subject: Re: Comodo ECC CA inclusion/EV request
Robin Alden:
Eddy Nigg said:
In http://www.mozilla.org/projects/security/certs/policy/ section 7
explicitly states
Eddy Nigg a écrit :
[...]
In other words, Comodo would issue multiple certificates for the very
same domain name? You could have multiple valid certificates for
www.mozilla.com?
It's an actually useful option. You may want the multiple servers that
will answer for www.mozilla.com to not
Eddy Nigg said:-
Robin Alden:
f) refers to an SSL product which is limited in such a way that it isn't
generally usable on the public internet. We offer no warranty on the
product, and the main part of the domain validation is to ensure that
the
domain name in the certificate is not a
Eddy Nigg wrote:
My point was that Comodo does issue certificates according to the
problematic practices listed in our document. Not only that, it does
more than one of those practices. You stated in the bug however that
Comodo doesn't issue certificates according to the Problematic
Eddy Nigg wrote:-
(to Frank Hecker)
As per your comment in
https://bugzilla.mozilla.org/show_bug.cgi?id=421946#c17 you
state that no problematic practices associated with this CA,
but I found that in section 2.4.1 domain validated wild cards
are issued, which is listed in
Robin Alden wrote:-
Eddy Nigg wrote:-
Oh and f) is also interesting ;-), I wonder how many
localhost certificates were issued so far...
[Robin said...]
Not many! We do issue quite a number for organizations to use internally
on
other names, though.
E.g. if we have a server on our
Eddy Nigg wrote:
As per your comment in
https://bugzilla.mozilla.org/show_bug.cgi?id=421946#c17 you state that
no problematic
practices associated with this CA, but I found that in section 2.4.1
domain validated wild cards are issued, which is listed in
Robin Alden:
f) refers to an SSL product which is limited in such a way that it isn't
generally usable on the public internet. We offer no warranty on the
product, and the main part of the domain validation is to ensure that the
domain name in the certificate is not a valid internet name or,
Frank Hecker:
Eddy Nigg wrote:
As per your comment in
https://bugzilla.mozilla.org/show_bug.cgi?id=421946#c17 you state that
no problematic
practices associated with this CA, but I found that in section 2.4.1
domain validated wild cards are issued, which is listed in
Robin Alden:
f) refers to an SSL product which is limited in such a way that it isn't
generally usable on the public internet. We offer no warranty on the
product, and the main part of the domain validation is to ensure that the
domain name in the certificate is not a valid internet name or,
Frank Hecker:
Frank Hecker wrote:
I am now opening the first public discussion period for a request from
Comodo to add the Comodo ECC Certification Authority root certificate
to Mozilla and enable it for EV use. This is bug 421946, and Kathleen
has produced an information document attached to
On Saturday 19 July 2008 19:30:51 Paul Hoffman wrote:
At 11:04 AM +0100 7/19/08, Rob Stradling wrote:
I think that the ECDSA signature algorithms will only be supported in
OpenSSL 0.9.9 (not yet released) and above.
Try a recent openssl-SNAP-2008mmdd.tar.gz from
Frank Hecker wrote:
I am now opening the first public discussion period for a request from
Comodo to add the Comodo ECC Certification Authority root certificate to
Mozilla and enable it for EV use. This is bug 421946, and Kathleen has
produced an information document attached to the bug.
Paul Hoffman wrote:
At 3:24 PM -0700 7/18/08, Wan-Teh Chang wrote:
On Fri, Jul 18, 2008 at 1:58 PM, Paul Hoffman [EMAIL PROTECTED]
wrote:
There's a test site with a Comodo-issued ECC cert at
https://comodoecccertificationauthority-ev.comodoca.com/
...which no browser will let me into. :-)
Paul Hoffman wrote:
At 3:24 PM -0700 7/18/08, Wan-Teh Chang wrote:
On Fri, Jul 18, 2008 at 1:58 PM, Paul Hoffman [EMAIL PROTECTED]
wrote:
There's a test site with a Comodo-issued ECC cert at
https://comodoecccertificationauthority-ev.comodoca.com/
...which no browser will let me into.
On Saturday 19 July 2008 00:26:57 Paul Hoffman wrote:
At 6:18 PM -0400 7/18/08, Frank Hecker wrote:
Paul Hoffman wrote:
At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
Paul Hoffman wrote:
Has anyone validated the ECC paramters they used?
Not that I'm aware.
I think that's
At 11:04 AM +0100 7/19/08, Rob Stradling wrote:
I think that the ECDSA signature algorithms will only be supported in OpenSSL
0.9.9 (not yet released) and above.
Try a recent openssl-SNAP-2008mmdd.tar.gz from ftp://ftp.openssl.org/snapshot
instead.
Will do.
Non-mandatory question: what
Frank Hecker wrote, On 2008-07-18 15:18:
Paul Hoffman wrote:
At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
Paul Hoffman wrote:
Has anyone validated the ECC paramters they used?
Not that I'm aware.
I think that's unfortunate. It is easy for all of us to test the
parameters for RSA
Paul Hoffman wrote, On 2008-07-18 20:00:
2. Import that root CA cert.
restart FF (at least 3)...
should not be necessary. Might be necessary to see the cert in the UI,
due to possible UI issues, but is not required in NSS.
I hope you trust the ECC implementation in NSS.
I do, but
Nelson B Bolyard wrote:
Frank Hecker wrote, On 2008-07-18 15:18:
Paul Hoffman wrote:
At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
Paul Hoffman wrote:
Has anyone validated the ECC paramters they used?
Not that I'm aware.
I think that's unfortunate. It is easy for all of us to test the
Paul Hoffman wrote:
Has anyone validated the ECC paramters they used?
Not that I'm aware. There's a test site with a Comodo-issued ECC cert at
https://comodoecccertificationauthority-ev.comodoca.com/
and the Comodo ECC root CA cert itself is available at
On Thu, Jul 17, 2008 at 8:54 PM, Paul Hoffman [EMAIL PROTECTED] wrote:
Has anyone validated the ECC paramters they used?
They use the NIST P-384 curve (secp384r1), which is in NSA Suite B.
Wan-Teh
___
dev-tech-crypto mailing list
On Fri, Jul 18, 2008 at 6:27 AM, Frank Hecker
[EMAIL PROTECTED] wrote:
Paul Hoffman wrote:
Has anyone validated the ECC paramters they used?
Not that I'm aware. There's a test site with a Comodo-issued ECC cert at
https://comodoecccertificationauthority-ev.comodoca.com/
and the Comodo
Wan-Teh Chang wrote:
In your summary of information for CAs, you
should replace Modulus (key length) by EC parameters (named curve)
for ECC roots.
I've revised the information checklist to reflect your comments; see
item 2.6:
http://wiki.mozilla.org/CA:Information_checklist
Please let me
On Fri, Jul 18, 2008 at 12:48 PM, Frank Hecker
[EMAIL PROTECTED] wrote:
Wan-Teh Chang wrote:
In your summary of information for CAs, you
should replace Modulus (key length) by EC parameters (named curve)
for ECC roots.
I've revised the information checklist to reflect your comments; see
At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
Paul Hoffman wrote:
Has anyone validated the ECC paramters they used?
Not that I'm aware.
I think that's unfortunate. It is easy for all of us to test the
parameters for RSA certs, but few of us have software for testing ECC
certs.
There's a
Paul Hoffman wrote:
At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
Paul Hoffman wrote:
Has anyone validated the ECC paramters they used?
Not that I'm aware.
I think that's unfortunate. It is easy for all of us to test the
parameters for RSA certs, but few of us have software for testing
At 6:18 PM -0400 7/18/08, Frank Hecker wrote:
Paul Hoffman wrote:
At 9:27 AM -0400 7/18/08, Frank Hecker wrote:
Paul Hoffman wrote:
Has anyone validated the ECC paramters they used?
Not that I'm aware.
I think that's unfortunate. It is easy for all of us to test the
parameters for
On Fri, Jul 18, 2008 at 1:58 PM, Paul Hoffman [EMAIL PROTECTED] wrote:
There's a test site with a Comodo-issued ECC cert at
https://comodoecccertificationauthority-ev.comodoca.com/
...which no browser will let me into. :-)
and the Comodo ECC root CA cert itself is available at
At 3:24 PM -0700 7/18/08, Wan-Teh Chang wrote:
On Fri, Jul 18, 2008 at 1:58 PM, Paul Hoffman [EMAIL PROTECTED] wrote:
There's a test site with a Comodo-issued ECC cert at
https://comodoecccertificationauthority-ev.comodoca.com/
...which no browser will let me into. :-)
and the Comodo
Has anyone validated the ECC paramters they used?
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
38 matches
Mail list logo