Re: ECDSA certs?

Thank you. Julien R Pierre - Sun Microsystems wrote: > Momcilo, > > Momcilo Majic wrote: > >> - What is the reason for intentional breaking of build with >> NSS_ECC_MORE_THAN_SUITE_B ( #error)? (is it safe to override this?) > > No, it's not safe to override. You will get a broken build for ECC

Re: cmsutil -R generating orphan key

Hi, Hi you were correct, the trust was designated as Pu,Pu,Pu. Still - NSS is 3.12 built on Windows XP, VS2003 + MozillaBuild - NSS_ENABLE_ECC + NSS_ECC_MORE_THAN_SUITE_B with patched ecl-curve.h (removed #error) I will try to find the topic you mentioned. Best regards, Momcilo Majic Nelson B

Re: automatically installing new client SSL certificate into Firefox

Peter Djalaliev wrote, On 2008-08-25 13:15: > Hello, > > I recently went to GoDaddy and created myself a new client SSL > certificate. During the process Firefox generated a new key pair, the > GoDaddy application issued the certificate and Firefox installed it > automatically (after asking me) i

Re: cmsutil -R generating orphan key

Momcilo Majic wrote, On 2008-08-25 13:03: > I have created simple CA using ejbca. The root certificate is ECDSA based. > > 1. Than I've tried to create certificate request using certutil: > certutil -R -s "CN=TestECDSA" -o request.req -a -d database -k ec -q > nistp192 -a > 2. I've uploaded resu

Re: ECDSA certs?

Momcilo, Momcilo Majic wrote: > - What is the reason for intentional breaking of build with > NSS_ECC_MORE_THAN_SUITE_B ( #error)? (is it safe to override this?) No, it's not safe to override. You will get a broken build for ECC. This is why the #error is there. You can check out the ecl-curve

ECDSA in Thunderbird

Hello, I've searched high and low and can't find any mention of this on any groups or msg Board or KB article, so here goes... I am trying to determine if Thunderbird supports S/MIME using ECDSA. I've tried with TB 2.0.0.16 and with Shredder Alpha 2 and get the same results as described bel

Re: automatically installing new client SSL certificate into Firefox

GoDaddy probably uses generateCRFMrequest Try it: http://demo.webpki.org/mozkeygen Read about it: http://developer.mozilla.org/en/generateCRMFRequest anders - Original Message - From: "Peter Djalaliev" <[EMAIL PROTECTED]> Newsgroups: mozilla.dev.tech.crypto To: Sent: Monday, August 25,

Re: Dan Kaminsky's DNS talk discusses SSL

Kyle Hamilton: > > > In the event of a contract (either electronic or physical), the EV > site operator has legal assurance and agreement to adhere the minimum > standards required, and has legal recourse if those requirements are > violated. The end user has legal assurance (in the form of the EV

automatically installing new client SSL certificate into Firefox

Hello, I recently went to GoDaddy and created myself a new client SSL certificate. During the process Firefox generated a new key pair, the GoDaddy application issued the certificate and Firefox installed it automatically (after asking me) into the NSS database. Can anybody provide any pointers

cmsutil -R generating orphan key

Hi, I have created simple CA using ejbca. The root certificate is ECDSA based. 1. Than I've tried to create certificate request using certutil: certutil -R -s "CN=TestECDSA" -o request.req -a -d database -k ec -q nistp192 -a 2. I've uploaded resulting request to the EJBCA, signing and got cert.p

Re: inserting own extended validation certificate root

Hi Jakob, I followed the similar question you posted on the OpenSSL users forum and I generally agree with the feedback they provided. I believe that browsers usually hardcode the list of CAs trusted to issue EV certificates. In terms of Firefox, I believe that the list can be found in: http://

Re: Soft token provider capabilities

Anders Rundgren wrote, On 2008-08-25 03:01: > Thank you very much Nelson! > > Yes, it seems that P11's C_InitPIN only talks about tokens > which apparently is not the same thing as a key. Right. A token is analogous to a "smart card" or "HSM". It may have storage for multiple keys and certifica

Re: Dan Kaminsky's DNS talk discusses SSL

On Mon, Aug 25, 2008 at 10:24 AM, Eddy Nigg <[EMAIL PROTECTED]> wrote: > > I'm living in the same world as you do my friend! And yes, I suggest > that EV sites shouldn't outsource anything not under their control. > That's because the site operator (of an EV site) doesn't have control > over outsou

Re: Dan Kaminsky's DNS talk discusses SSL

Gervase Markham: > Eddy Nigg wrote: >> Because CAs (SHOULD) have controls in place to prevent that. > > Well, of course. But if another vulnerability in DNS is discovered like > the recent one, no amount of "controls" is going to help for the period > during which the Internet remains unpatched (as

Re: Dan Kaminsky's DNS talk discusses SSL

Gervase Markham: > Eddy Nigg wrote: >> Gervase Markham: >>> Exactly my point. If the CA's DNS is secure, the EV system is safe. If >>> it's not, it's not. So the two are linked, and they shouldn't be. >> I think you meant DV, not EV here... > > No, I mean EV, because the security of EV depends on t

Re: inserting own extended validation certificate root

[EMAIL PROTECTED] wrote: for "normal" CAs, it's an easy task to add them as trusted root to Mozilla. Now I'm trying to setup my own local extended validation CA. Is it possible to add it locally as trusted root? On the OpenSSL mailing list I was told this wouldn't be an easy tasks, as EV CAs are

Re: Bug 455162 - Provide a FIPS 140-2 compatibility mode

Note: the bug number cited in the subject of this thread is incorrect. See https://bugzilla.mozilla.org/show_bug.cgi?id=445162 Kyle Hamilton wrote, On 2008-08-23 19:29: > MisterSSL, I'm rather appalled that you are ignoring the realities of > US government user requirements. Kyle, I am utterly

inserting own extended validation certificate root

Hello, for "normal" CAs, it's an easy task to add them as trusted root to Mozilla. Now I'm trying to setup my own local extended validation CA. Is it possible to add it locally as trusted root? On the OpenSSL mailing list I was told this wouldn't be an easy tasks, as EV CAs are embedded differentl

Re: Bug 455162 - Provide a FIPS 140-2 compatibility mode

Kyle Hamilton wrote, On 2008-08-23 19:29: > (For reference: > > http://www.mozilla.org/projects/cck/ > http://www.mozilla.org/projects/cck/firefox/ > > These are the only pages I could find which came up on a "Client > Customization Kit Mozilla" search on google.) See also:

Re: Bug 455162 - Provide a FIPS 140-2 compatibility mode

Gervase Markham wrote, On 2008-08-25 03:48: > Kyle Hamilton wrote: >> The commonly-proposed alternative is to use the Client Customization >> Kit. This is a kit that creates an XUL file to customize the >> installation of Firefox, and which creates an extension which applies >> the XUL-formatted

Re: Dan Kaminsky's DNS talk discusses SSL

My view: Anything that comes from an EV-validated site should be viewed as being approved by that EV-validated site. Regardless of the actual company, domain, or even certificate Subject providing any part of the connection, the initial (root) page is the one that has the EV associated with it --

Re: Bug 455162 - Provide a FIPS 140-2 compatibility mode

Kyle Hamilton wrote: > MisterSSL, I'm rather appalled that you are ignoring the realities of > US government user requirements. I would note in this connection that the Mozilla project as a whole does not seem to have enterprise use as a specific goal - although many enterprises happily use it. T

Re: Dan Kaminsky's DNS talk discusses SSL

Eddy Nigg wrote: > Gervase Markham: >> >> Exactly my point. If the CA's DNS is secure, the EV system is safe. If >> it's not, it's not. So the two are linked, and they shouldn't be. > > I think you meant DV, not EV here... No, I mean EV, because the security of EV depends on the security of DV if

Re: Dan Kaminsky's DNS talk discusses SSL

Nelson B Bolyard wrote: > How does the user > a) know that some content is the responsibility of a different entity than > the one identified by Larry, and > b) find the identity of the entity responsible for that other content? They don't, because any UI which attempted to display all the informa

Re: Dan Kaminsky's DNS talk discusses SSL

Eddy Nigg wrote: > Because CAs (SHOULD) have controls in place to prevent that. Well, of course. But if another vulnerability in DNS is discovered like the recent one, no amount of "controls" is going to help for the period during which the Internet remains unpatched (assuming it's fixable at all

Re: ECDSA certs?

I've checked for ifdef on ifndef of NSS_ECC_MORE_THAN_SUITE_B. Ther are located in several .h and .c files: - sslimpl.h - sslcon.c - ssl3ecc.c - ssl3con.c - softkver.h - secsign.c - p7decode.c - nss.h - fipstest.c - ecl-curve.h - ecl.c - cmssiginfo.c - certutil.c Manual patching of files of intere

Re: Soft token provider capabilities

Thank you very much Nelson! Yes, it seems that P11's C_InitPIN only talks about tokens which apparently is not the same thing as a key. This is a bit unfortunate, because there are several things in progress like IETF's KEYPROV and yours truly's KeyGen2 that require a per-key PIN-setting ability.