Re: What exactly are the benefits of libpkix over the old certificate path validation library?

On 01/04/2012 05:56 PM, Brian Smith wrote: Robert Relyea wrote: On 01/04/2012 04:18 PM, Brian Smith wrote: Are you actually fetching intermediates? In the cases where you fetch the intermediates, the old code will not work! We don't fetch the intermediate if we already have it, or it's

Re: What exactly are the benefits of libpkix over the old certificate path validation library?

Robert Relyea a écrit : 7. libpkix can actually fetch CRL's on the fly. The old code can only use CRL's that have been manually downloaded. We have hacks in PSM to periodically load CRL's, which work for certain enterprises, but not with the internet. PSM's periodic CRL download's certainly

Re: What exactly are the benefits of libpkix over the old certificate path validation library?

Brian Smith a écrit : 3. libpkix can enforce certificate policies (e.g. requiring EV policy OIDs). Can the non-libpkix validation? EV policy have been defined in a way that means they could be supported by a code that handles an extremely tiny part of all what's possible with RFC5280

Re: What exactly are the benefits of libpkix over the old certificate path validation library?

(resending from the correct address) On 01/04/2012 03:51 PM, Brian Smith wrote: Ryan Sleevi wrote: IIRC, libpkix is an RFC 3280 and RFC 4158 conforming implementation, while non-libpkix is not. That isn't to say the primitives don't exist - they do, and libpkix uses them - but that

Re: Developing pkcs11 module for Firefox

On 2012-01-05 02:45, Robert Relyea wrote: I am curious as to how smartcard management is supposed to work for Linux. It seems to me that it would be ideal for Firefox to support the shared DB on Linux. Are there OS-level tools for managing the shared DB. For example, is there an OS-level UI

Re: What exactly are the benefits of libpkix over the old certificate path validation library?

On 01/04/2012 03:51 PM, Brian Smith wrote: Ryan Sleevi wrote: IIRC, libpkix is an RFC 3280 and RFC 4158 conforming implementation, while non-libpkix is not. That isn't to say the primitives don't exist - they do, and libpkix uses them - but that the non-libpkix path doesn't use

Re: Regarding PSM with external SSL library

Hi Brian, We'll go with your suggestion of using NSS after size reduction for this project for our security requirements. But right now we cannot upgrade to latest firefox due to the current schedule and resources we have for this project. We will follow the guidelines listed in the 611781 as

Re: What exactly are the benefits of libpkix over the old certificate path validation library?

Jean-Marc Desperrier wrote: Brian Smith a écrit : 3. libpkix can enforce certificate policies (e.g. requiring EV policy OIDs). Can the non-libpkix validation? EV policy have been defined in a way that means they could be supported by a code that handles an extremely tiny part of all

Re: Regarding PSM with external SSL library

Ashok Subash wrote: We'll go with your suggestion of using NSS after size reduction for this project for our security requirements. But right now we cannot upgrade to latest firefox due to the current schedule and resources we have for this project. We will follow the guidelines listed in the

Re: What exactly are the benefits of libpkix over the old certificate path validation library?

Robert Relyea a écrit : On 01/04/2012 05:56 PM, Brian Smith wrote: Robert Relyea wrote: On 01/04/2012 04:18 PM, Brian Smith wrote: In the cases where you fetch the intermediates, the old code will not work! [...] I'm talking about fetching intermediates themselves because they