Re: Draft how to apply guide for CAs

2008-11-15 Thread Eddy Nigg
On 11/15/2008 05:14 AM, Frank Hecker: One of the things I'm trying to do (with lots of help from Kathleen Wilson) is to document how the CA evaluation process works, so that CAs can have a better understanding of what will happen during the process and what they will be asked to do. A primary

Re: DNSSEC? Re: MITM in the wild

2008-11-15 Thread Florian Weimer
* Alaric Dailey: DNSSEC is an assertion of validitity of the DNS. EV certs assert that the business behind the cert is legit. Only that a legal entity exists (whether its legitimate is not checked). EV certificates are routinely issued to organizations which do not run the business which

Re: DNSSEC? Re: MITM in the wild

2008-11-15 Thread Eddy Nigg
On 11/15/2008 05:19 PM, Florian Weimer: * Alaric Dailey: DNSSEC is an assertion of validitity of the DNS. EV certs assert that the business behind the cert is legit. Only that a legal entity exists (whether its legitimate is not checked). EV certificates are routinely issued to

Re: DNSSEC? Re: MITM in the wild

2008-11-15 Thread Wes Kussmaul
Eddy Nigg wrote: On 11/15/2008 05:19 PM, Florian Weimer: * Alaric Dailey: DNSSEC is an assertion of validitity of the DNS. EV certs assert that the business behind the cert is legit. Only that a legal entity exists (whether its legitimate is not checked). EV certificates are routinely

Re: DNSSEC? Re: MITM in the wild

2008-11-15 Thread Eddy Nigg
On 11/15/2008 05:57 PM, Wes Kussmaul: Eddy Nigg wrote: On 11/15/2008 05:19 PM, Florian Weimer: * Alaric Dailey: DNSSEC is an assertion of validitity of the DNS. EV certs assert that the business behind the cert is legit. Only that a legal entity exists (whether its legitimate is not

Re: DNSSEC? Re: MITM in the wild

2008-11-15 Thread Paul Hoffman
At 8:20 PM +0200 11/15/08, Eddy Nigg wrote: Lets stay focused! This thread started off with a purported newbie having a problem with seeing self-signed certs where she shouldn't have. It then morphed into a discussion of security UI design. Then it went to what users shold and should not be

Re: DNSSEC? Re: MITM in the wild

2008-11-15 Thread Eddy Nigg
On 11/15/2008 10:04 PM, Paul Hoffman: At 8:20 PM +0200 11/15/08, Eddy Nigg wrote: Lets stay focused! This thread started off with a purported newbie having a problem with seeing self-signed certs where she shouldn't have. It then morphed into a discussion of security UI design. Then it went

What are the problems with overspecified AKID?

2008-11-15 Thread Kyle Hamilton
What are the problems with overspecified Authority Key ID fields? (i.e., both key ID and issuer's name/serialnumber)? I'm noticing that it's part of the Certificate Policy v1.2 (paragraph 4, in the 'incorrect extensions' bullet point), but I still haven't been able to figure it out. Is there

Re: NSS DB migration problem

2008-11-15 Thread Hans Petter Jansson
On Fri, 2008-11-14 at 22:56 -0800, Nelson B Bolyard wrote: Hans Petter Jansson wrote, On 2008-11-14 21:54: This works for some databases, but not others. It doesn't seem to matter which application created the database (I've tried with databases from Firefox and Evolution) - e.g. one

Re: SSL version 3 - How Firefox contructs key materials for 3DES

2008-11-15 Thread rusdy13
Thank Nelson, it work... Actually I already read rfc2246 and others many times, switch from ssl to tls v1.0 back and fort, tried rc4, and even got worse. Rusdy Nelson B Bolyard wrote: Rusdy13 wrote, On 2008-11-12 02:25: I've been developing a web server (research) based on ssl version 3 doc

Re: NSS DB migration problem

2008-11-15 Thread Nelson B Bolyard
Hans Petter Jansson wrote, On 2008-11-15 17:57: On Fri, 2008-11-14 at 22:56 -0800, Nelson B Bolyard wrote: Hans Petter Jansson wrote, On 2008-11-14 21:54: This works for some databases, but not others. It's on separate workstations, but in some cases one database migrates successfully