Re: Permanently store this exception selected by default

2010-06-18 Thread Jan Schejbal 

Hi,
Given users' tendency to click-through security warnings, would it 
not perhaps be better for that box to be UNchecked by default?


No. If its a legitimate selfsign cert, its best to store it - then the 
user won't be bothered but a real attack (changed cert again) would 
trigger the warning again (not that it would help this user).


If its an attack cert, the damage (stolen password etc.) often happens 
with the first click anyway, so there is not much to lose after that. 
And beside that, the user would click away the warning next time 
anyway...


Jan
--
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention FROM NG
in the subject line, otherwise my spam filter will delete your mail.
Sorry for the inconvenience, thank the spammers... 


--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Using NSS to export PKCS#12 pfx files

2010-06-18 Thread Nelson B Bolyard 
On 2010-06-15 14:17 PDT, John Scott wrote:
 I'm doing the following to create a signed Firefox plugin
 
 http://oyoy.eu/huh/firefox-extension-code-signed-with-spc-pvk/
 
 However, I'm trying to automate the process, and the first step would be
 removing the need for pvkimprt. .NET code can export a PKCS#12 key with
 the private key from a PKCS#7 key, but it doesn't have the full chain of
 CAs, so is invalid for signing the plugin.

What are you trying to automate?

Are you trying to make it so that YOU can sign multiple plugins, or multiple
versions of a plugin under development, easily (say with a
batch file)?

Are you trying to make it so that ANYONE can sign a plugin easily?

Is there any reason the PKCS#12 file needs to be created more than once
per user?
Must the creation of the PKCS#12 file be automated?

Microsoft's own certificate manager is quite capable of generating a
PKCS#12 file with the whole cert chain and the requisite friendly name.
It's a fairly nice GUI program, so I wouldn't try to automate its use,
which is why I ask if the automation needs to include that step.

 Would using the NSS API be a practical approach? 

to do what?
to create a PKCS#12 file from the certs and keys in MS proprietary format?

 It seems that Firefox can export keys and it uses NSS to do that? 

Yes.

 Have there been any attempts to do something like this in the past?

Not sure what like this is yet.
Once you've gotten the necessary keys and certs imported into an NSS DB
pair, the rest of the signing process is easily automated because there's
a command line program to do it.  Seems like the challenge you're facing
is to get the private key (which I gather is in a proprietary MS .pvk file)
into some usable form.  NSS doesn't handle pvk files.  MS itself deprecated
them over a decade ago.  I'm not sure why they're still in use.  Maybe
there's some other tool on the internet that can create a PKCS12 file from
a pvk file and some certs.  Or maybe you can/should import the pvk file
into your Windows system's key store, and then use Windows cert mgr to
create a pkcs12 file.

Good luck.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: How pkcs#11 modules read the CONFIG_STRING from modutil -string command

2010-06-18 Thread Klaus Heinrich Kiwi 
On Thu, 17 Jun 2010 16:37:22 -0700
Robert Relyea rrel...@redhat.com wrote:

 
  I though C_Initialize, OpenSession or even InitToken at first,
  but looking at the spec I couldn't immediately identify where I
  could pass arbitrary data to configure the token.
  
  See the explanation at
  http://mxr.mozilla.org/security/source/security/nss/lib/util/pkcs11t.h#1208

 Also at: https://developer.mozilla.org/en/PKCS11_Module_Specs
 
 One of the areas that we've actually documented.
 

Thanks Robert and Nelson.

 -Klaus


-- 
Klaus Heinrich Kiwi | kla...@br.ibm.com | http://blog.klauskiwi.com
Open Source Security blog : http://www.ratliff.net/blog
IBM Linux Technology Center :   http://www.ibm.com/linux/ltc


-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto