Re: Fwd: Time to dump NSS

7;t necessarily have to start from zero in case Mozilla feels that the groundwork me and my colleges have done could be useful. Regards, Anders Rundgren -Dan Veditz -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Fwd: Time to dump NSS

outside of NSS: http://webpki.org/papers/key-access.pdf Regards, Anders Rundgren -Dan Veditz -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

The TPM is dead, long live the TEE!

Somewhat unfortunate for Microsoft and Intel who have "bet the house" on TPMs (Trusted Platform Modules), all their competitors in the mobile space including Google and Apple, have rather settled on embedded TEE (Trusted Execution Environment) schemes enabling systems like this: http://www.nas

EC support / PK11_ImportDERPrivateKeyInfoAndReturnKey

I'm trying to implement SKS/KeyGen2 in Firefox. This scheme is heavily based on EC keys. According to this file https://chromium.googlesource.com/chromium/chromium/+/master/crypto/ec_private_key_nss.cc PK11_ImportDERPrivateKeyInfoAndReturnKey doesn't support EC keys. This was reported 2006. Is

Re: Removal of generateCRMFRequest

On 2013-10-10 01:36, Nathan Kinder wrote: > On 09/28/2013 12:17 PM, Brian Smith wrote: >> On Sat, Sep 28, 2013 at 7:52 AM, Sean Leonard >> wrote: >>> On 9/27/2013 5:51 PM, Robert Relyea wrote: I don't have a problem with going for an industry standard way of doing all of these thin

Re: Removal of generateCRMFRequest

On 2013-10-10 01:36, Nathan Kinder wrote: > On 09/28/2013 12:17 PM, Brian Smith wrote: >> On Sat, Sep 28, 2013 at 7:52 AM, Sean Leonard >> wrote: >>> On 9/27/2013 5:51 PM, Robert Relyea wrote: I don't have a problem with going for an industry standard way of doing all of these thin

Re: nickname for imported PKCS 12 from Firefox is called 'Imported Certificate'

96 > > Thanks > > On 05/30/2013 04:22 PM, Anders Rundgren wrote: >> FirefoxOS needs a completely renovated PKI client in order to be >> competitive and useful. >> >> Issuer-defined Icons for credential GUIs is one of the many small >> things that are ne

Re: nickname for imported PKCS 12 from Firefox is called 'Imported Certificate'

> > Although currently Firefox doesn't display nickname to users in PSM, > but in the near future, FirefoxOS (B2G) will need to display this > (nickname) to the user, FirefoxOS needs a completely renovated PKI client in order to be competitive and useful. Issuer-defined Icons for credential GU

Re: Should we create a Web API for importing PKCS 12

On 2013-05-15 11:35, Yoshi Huang wrote: > Hi, > > Currently on Firefox OS (B2G), there's no Web API could install PKCS 12. > > The use cases could be Wifi, VPN,... etc. > Some examples can be found on Android, see [1] > > Although I have found WebCrypto in the wiki and bugzilla, > but it seems i

Re: Removal of generateCRMFRequest

On 2013-04-08 15:21, helpcrypto helpcrypto wrote: > On Mon, Apr 8, 2013 at 12:10 PM, Anders Rundgren > wrote: >> This seems to be out of scope: >> http://lists.w3.org/Archives/Public/public-webcrypto/2013Apr/0072.html > > Hi Anders. > > > As it scopes

Re: Removal of generateCRMFRequest

On 2013-04-08 14:52, helpcrypto helpcrypto wr ote: >>> More generally, I would like to remove all the Mozilla-proprietary methods >>> and properties from window.crypto; i.e. all the >>> ones athttps://developer.mozilla.org/en-US/docs/JavaScript_crypto. Some of >>> them are actually pretty problem

Re: Removal of generateCRMFRequest

On 2013-04-01 23:46, Brian Smith wrote: > See https://bugzilla.mozilla.org/show_bug.cgi?id=524664 (bug 524664) and > See > https://developer.mozilla.org/en-US/docs/JavaScript_crypto/generateCRMFRequest > > My understanding is that is supposed to replace > window.crypto.generateCRMFRequest. > >

Re: Batch Signatures. Was: Web Crypto API(s) and what Mozilla wants / needs

s. At least, I cannot see that based on the current draft. Anders > > > > On Thu, Feb 21, 2013 at 4:51 PM, Anders Rundgren > wrote: >>> >>> Will it be possible, using Web-Crypto API, to sign in batch-mode? >>> >> >> Like this, I presume: >>

Batch Signatures. Was: Web Crypto API(s) and what Mozilla wants / needs

> > Will it be possible, using Web-Crypto API, to sign in batch-mode? > Like this, I presume: http://www.secrypt.de/en/products/digiseal-office-pro I believe Germany is about the only country using such schemes. IMO it is based on an altogether weird interpretation and use of the EU signature d

Re: Web Crypto API(s) and what Mozilla wants / needs

On 2013-02-21 12:28, helpcrypto helpcrypto wrote: > BTW, what is this? > http://html5.creation.net/webcrypto-api/ > These are the s.c. "Korean Use-cases" which have largely been ignored by the Web Crypto WG. Anders -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lis

Re: Web Crypto API(s) and what Mozilla wants / needs

On 2013-02-21 09:22, helpcrypto helpcrypto wrote: > So, to sum up: > > Will it be possible, using Web-Crypto API, to sign using a Pkcs#11 > key/cert? What about MSCAPI key/cert? No. > > Will it be possible, using Web-Crypto API, to sign in batch-mode? Since your requirement was associated with

Re: Web Crypto API(s) and what Mozilla wants / needs

On 2013-02-15 11:32, helpcrypto helpcrypto wrote: >> The problem with this approach is that you expose keys to arbitrary >> javascript >> code which is rather different to for example TLS-client-certificate >> authentication which only exposes a high-level mechanism as well as a >> [reasonably] se

Re: Web Crypto API(s) and what Mozilla wants / needs

On 2013-02-15 09:46, helpcrypto helpcrypto wrote: > IMHO, once we have a pkcs#11 interface to handle any smartcard, even > installed cert using NSS softoken, and maybe a wrapper to mscapi...the > only thing left is to use those certs stored "somewhere" with your > javascript API. The problem wi

Re: Web Crypto API(s) and what Mozilla wants / needs

On 2013-02-15 06:38, Martin Paljak wrote: > Hello, > > On Thu, Feb 14, 2013 at 5:48 PM, David Dahl wrote: >> I do understand the frustration you must feel in trying to get browsers > to work closely with your national ID/Cert system. There are many such > systems, and trying to create an API that

Re: Web Crypto API(s) and what Mozilla wants / needs

Hi David, IMO the Web Crypto API is on the right level. There are tons of people out there that are writing wrappers and that covers the need you mention. What Mozilla really need is a new PKI client, the current is useless, particularly for B2G (since PCs seem to be a lost case due to MSFT): h

Alternative pinning scheme. Re: Proposing: Interactive Domain Verification Approval

On 2012-12-31 16:18, Kai Engert wrote: > I propose to more actively involve users into the process of accepting > certificates for domains. If we get away from garbage like , PKI-based authentication becomes a natural feature for mobile devices. This in itself render the mentioned attacks much le

Re: Secure credit-card payments? Re: Proposing: Interactive Domain Verification Approval

On 2013-01-03 01:28, Julien Pierre wrote: > Anders, > > On 1/1/2013 12:47, Anders Rundgren wrote: >> Although the recent CA failures cast a shadow over the web they have >> AFAIK not led to any major losses for anybody. The credit-card system >> OTOH is a major source

Secure credit-card payments? Re: Proposing: Interactive Domain Verification Approval

On 2012-12-31 16:26, Kai Engert wrote: > I propose to more actively involve users into the process of accepting > certificates for domains. Although the recent CA failures cast a shadow over the web they have AFAIK not led to any major losses for anybody. The credit-card system OTOH is a major so

2013: R.I.P.

During the Netscape heydays was probably pretty OK. However, that was a long time ago. In fact, only meets a single of the dozen+ imaginable features outlined here: http://webpki.org/papers/PKI/certenroll-features.pdf For the PC platform which seems to resist all modernization efforts in th

Re: PSM module ownership, switching my focus to NSS

Hi Julien, What is Oracle's interest in NSS? IMO, NSS and JDK are behind the rest of the crypto world due to the lack of integration with the target OS. It is possible that this is a no-issue for server-companies like RedHat but for Mozilla OS it spells disaster. That is, cryptographic keys shou

Re: PSM module ownership, switching my focus to NSS

On 2012-12-13 17:10, Kai Engert wrote: > Brendan Eich suggested posting to this list, too > (already posted yesterday to Mozilla's dev-planning list). > > > Hello Mozilla, I'd like to announce a change. > > PSM is the name of Mozilla's glue code for PKI related [1] security > features, such as c

NSS in Firefox OS

I've heard about the Firefox OS but haven't been able to find much information about the internals, at least not the crypto-part. Anyway, I guess that Firefox OS uses NSS? Is it still is based on the idea that key access is done in the application context rather than through a service? Anders -

W3C takes on Web+SecurityElements

http://www.w3.org/2012/09/sysapps-wg-charter Since the smart card industry have never managed making their stuff "web compatible" before, I assume they will fail this

Re: JSS library and parsing CMS

ntent(); return signedContent; } } throw new SignatureException ("No CA key matching: " + cert.getIssuerX500Principal().getName()); } 2012-09-14 15:51, KidAlchemy wrote: > On Friday, August 17, 2012 5:44:40 AM UTC-4, Anders Rundgren wrote: >> On

Re: Update on Intel's Identity Protection Technology

On 2012-08-22 00:38, Julien Pierre wrote: Julien, > > On 8/21/2012 00:45, Anders Rundgren wrote: >> On 2012-08-21 05:42, Julien Pierre wrote: >>> Anders, >>> >>> On 8/14/2012 20:40, Anders Rundgren wrote: >>>> http://communities.intel.com/

Re: Update on Intel's Identity Protection Technology

On 2012-08-21 05:42, Julien Pierre wrote: > Anders, > > On 8/14/2012 20:40, Anders Rundgren wrote: >> http://communities.intel.com/community/vproexpert/blog/2012/05/18/intel-ipt-with-embedded-pki-and-protected-transaction-display >> >> Apparently your next PC already

Re: JSS library and parsing CMS

On 2012-08-15 21:35, KidAlchemy wrote: > On Thursday, August 9, 2012 10:26:12 AM UTC-4, KidAlchemy wrote: >> I want to use the JSS library just to parse the CMS package into the >> specific structures that are provided by JSS. I can get the signedData, >> then I call signedData.getContentInfo(),

Re: Update on Intel's Identity Protection Technology

rior browser "companion", doesn't support PIN-codes, client-key agility, issuer conformation, etc. Anders > > -Original Message- > From: dev-tech-crypto-bounces+wprice=mitre@lists.mozilla.org > [mailto:dev-tech-crypto-bounces+wprice=mitre@lists.mozilla.o

Update on Intel's Identity Protection Technology

http://communities.intel.com/community/vproexpert/blog/2012/05/18/intel-ipt-with-embedded-pki-and-protected-transaction-display Apparently your next PC already has it. What's missing is a provisioning facility for unleashing the power of this scheme so that it isn't limited to one OS, one CA (?)

Intel Identity Protection Technology with PKI

http://www.intel.com/content/www/us/en/architecture-and-technology/identity-protection/public-key-infrastructure.html Like most HW-security solutions this appears to be more or less secret... Anders -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listi

Re: VISA drops the password and replaces it with - NOTHING

On 2012-08-02 22:16, David Woodhouse wrote: > On Wed, 2012-08-01 at 11:58 +0200, Anders Rundgren wrote: >> http://www.finextra.com/news/announcement.aspx?pressreleaseid=45624 >> >> Current platforms are useless for banking so what else could they do? > > The big pr

Re: VISA drops the password and replaces it with - NOTHING

On 2012-08-02 13:22, Jean-Marc Desperrier wrote: > Anders Rundgren a écrit : >> http://www.finextra.com/news/announcement.aspx?pressreleaseid=45624 >> >> Current platforms are useless for banking so what else could they do? > > What role does the password serve here,

VISA drops the password and replaces it with - NOTHING

http://www.finextra.com/news/announcement.aspx?pressreleaseid=45624 Current platforms are useless for banking so what else could they do? Anders -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Intel Identity Protection. Was: Shared system database

I won't bother you more on this topic but I honestly do not think that there will be any progress worth mentioning (particularly on the fragmented OSS side) until Intel comes out with a open version of: http://ipt.intel.com I hope to make it easier for Intel by doing things in the opposite way, e

Re: Shared system database

e: > On Fri, 2012-07-27 at 10:53 +0200, Anders Rundgren wrote: >> I think you need to take a step back and consider which >> market and user-base you are targeting. > > No, I believe that's been clear from the beginning. Apologies if I > didn't make it explicit en

Re: Shared system database

I think you need to take a step back and consider which market and user-base you are targeting. Linux on the desktop? Why bother with that? Linux servers? Well, *that* could be interesting. Unfortunately it doesn't help much since most servers run JBoss etc so it is actually more a JDK problem.

Re: Shared system database

1] Using an on-line end-to-end-secured process 2] Specifications, Application notes, Fairly extensive PoC code including JUnit suite On 2012-07-26 14:15, David Woodhouse wrote: > On Thu, 2012-07-26 at 14:00 +0200, Anders Rundgren wrote: >> On 2012-07-26 12:24, David Woodhouse wrote: >>

Re: Shared system database

On 2012-07-26 12:24, David Woodhouse wrote: > >> My same concerns would apply to private keys. > > An application-specific 'third slot' would certainly address that > concern. IMO, private keys is a very different topic because they are not really "owned" by the user and if misused they could

Re: Shared system database

on is covered by an NDA. On 2012-07-26 03:03, Julien Pierre wrote: > Anders. > > On 7/24/2012 23:33, Anders Rundgren wrote: >> Yes. It's an issue I'm actively trying to solve. NSS seems to have made >> some *attempt* at solving it... which has some issues, and which d

Re: Shared system database

On 2012-07-25 11:32, helpcrypto helpcrypto wrote: >> As I understand it, PKCS#11 token support was actually *removed* from >> the Keychain in the latest versions of OSX, and is now a third-party >> add-on? > > IIRC: Apple said smartcard services are not going to be suportted by > them, but the com

Re: Shared system database

s for mobile banking On 2012-07-24 16:23, David Woodhouse wrote: > On Tue, 2012-07-24 at 16:12 +0200, Anders Rundgren wrote: >> IMO, this is not an NSS issue, it is rather a *NIX issue. All other >> operating systems (that I'm aware of NB...) including *NIX-derivates >> lik

Re: Shared system database

IMO, this is not an NSS issue, it is rather a *NIX issue. All other operating systems (that I'm aware of NB...) including *NIX-derivates like Android, already have a system-wide cryptographic architecture. Most (if not all) of these builds on services rather than libraries. Anders On 2012-07-24

Re: Building and running NSS for Android.

NSS and JDK seems to be severely lagging in this respect. I don't think porting NSS to Android necessarily is a prerequisite for porting Firefox to Android. IMO, it is rather a disadvantage with multiple keystores and systems. Anders On 2012-07-06 12:54, Anders Rundgren wrote: > On 2012-07

Re: Building and running NSS for Android.

On 2012-07-06 10:29, ianG wrote: > On 6/07/12 16:14 PM, Anders Rundgren wrote: >> On 2012-07-06 01:51, Robert Relyea wrote: >>> I've gotten NSS to build and mostly run the tests for Android. > > Cool! > > >>> There are >>> still a number of

Re: Building and running NSS for Android.

On 2012-07-06 01:51, Robert Relyea wrote: > I've gotten NSS to build and mostly run the tests for Android. There are > still a number of tests failing, so the work isn't all done, but it was > a good point to snapshot what I had. How does this compare/interact with Android's built-in key-store?

Re: Feedback on DOMCryptInternalAPI

On 2012-04-19 17:09, David Dahl wrote: > Hello All: > > [I have cross posted this message to dev-platform and dev-tech-crypto, > perhaps we should discuss this on dev-platform as it has a larger subscriber > base?]. > > I am just putting together a draft feature page for an internal API needed by

Re: To NSS-Java or not to NSS-Java, thats the question.

On 2012-04-20 10:34, helpcrypto helpcrypto wrote: > After reading your three mails, i have only one thing to say: Clear as water. > > Thank a lot for your patience and effort on explaining this for > short-minded like me. > Thanks a lot, REALLY, for your long, detailed and clear answer. > Of cours

Re: To NSS-Java or not to NSS-Java, thats the question.

On 2012-04-19 16:41, helpcrypto helpcrypto wrote: >> My "solution" to this is to treat all PKI-using applications as complete >> applications running in trusted code. W3C tries to do something different, >> we'll see how that pans out... > > Ok Anders, but you are -again- talking much about your

Re: To NSS-Java or not to NSS-Java, thats the question.

On 2012-04-19 09:21, helpcrypto helpcrypto wrote: >> (to me, that question makes no sense. users can't talk to smart cards. >> Only smart card readers and programs can. So what smart card reader and >> what program is doing this? A dumb smart card reader and a browser, >> following Javascript i

Re: To NSS-Java or not to NSS-Java, thats the question.

On 2012-04-18 13:06, ianG wrote: > (lo-pri interest only requests) Short return then :-) > > On 18/04/12 20:00 PM, Anders Rundgren wrote: >> On 2012-04-18 11:04, helpcrypto helpcrypto wrote: > >>>> Container attestations must be performed at the APDU-level since &

Re: To NSS-Java or not to NSS-Java, thats the question.

On 2012-04-18 11:04, helpcrypto helpcrypto wrote: > On Wed, Apr 18, 2012 at 10:03 AM, Anders Rundgren > wrote: >> Dear "helpcrypto", now it became a little bit messy because I'm talking about >> principles while you are talking about specific interfaces like NSS,

Re: To NSS-Java or not to NSS-Java, thats the question.

Dear "helpcrypto", now it became a little bit messy because I'm talking about principles while you are talking about specific interfaces like NSS, and PKCS #11. > During enrollment, i need to know card is present and the keypair is > generated inside. how can i achieve this without a pkcs#11 inte

Re: To NSS-Java or not to NSS-Java, thats the question.

On 2012-04-17 14:14, helpcrypto helpcrypto wrote: >> It was for example suggested that PKCS #11 should be exposed as a >> JavaScript object. I think that is downright ridiculous idea, >> almost as bad as: http://www.sconnect.com/FAQ/index.html > > Let me expose two user-cases where i think that w

Re: To NSS-Java or not to NSS-Java, thats the question.

On 2012-04-17 11:14, helpcrypto helpcrypto wrote: > So, do you (we) ALL agree NSS should be modified to hook with system > keystores like Windows or OSX? (Linux has no default system keystore, > so there will be no changes by now) > Maybe wtc has something to say against this... > > Are mozilla (w

Re: To NSS-Java or not to NSS-Java, thats the question.

On 2012-04-17 09:06, helpcrypto helpcrypto wrote: >> I would not build a scheme based on NSS because NSS is not a prerequisite >> unless you force people to use Firefox. > We arent forcing. We already support Microsoft, OSX and Google > browsers, and (trying) Firefox too. > >> Hooking Mozilla/NS

Re: To NSS-Java or not to NSS-Java, thats the question.

On 2012-04-16 09:47, helpcrypto helpcrypto wrote: >>> If you'd like to help make Firefox better for enterprises, we'd be >>> delighted to have you submit patches instead of questioning our >>> commitment to our users. > > I'll ask another way: Is there any argument against compiling NSS with > @lo

Re: To NSS-Java or not to NSS-Java, thats the question.

On 2012-04-11 07:42, Gen Kanai wrote: > > On 4/9/12 6:05 PM, helpcrypto helpcrypto wrote: >> The question can be changed to: >> -Do mozilla want companies and bussiness to use Firefox? (rather than >> chrome) >> -Do mozilla think themes and make up are more important to bussines >> than this ki

Re: cert8.db rewrite reasons and exceptions?

On 2012-04-09 12:13, helpcrypto helpcrypto wrote: >> http://www.w3.org/2011/11/webcryptography-charter.html > > BSmith ans RRelyea directed me there also. All fishes go to sea... ;) The really big fishes (Google, Apple, and Microsoft) haven't said a word (in public) about their interest in this.

Re: cert8.db rewrite reasons and exceptions?

On 2012-04-09 11:21, helpcrypto helpcrypto wrote: >> IMHO it depends quite a bit on what your target audience is. > > Document signing on a web browser, its *always* done using a java applets. > > Tax payment, traffic bills, more taxes...in hour case, official > documents signed by the "ministry"

Re: cert8.db rewrite reasons and exceptions?

On 2012-04-09 10:27, helpcrypto helpcrypto wrote: > So, IIUC, both of you consider using system/os/platform keystore > (directly [or hooked]) the "best" option? IMHO it depends quite a bit on what your target audience is. If you (for example) are working with server-applications you are likely to

Re: cert8.db rewrite reasons and exceptions?

On 2012-04-04 13:04, helpcrypto helpcrypto wrote: > IIRC, NSS doesnt have an official mantainer on Mozilla bugs, isnt it? > If this happens, its probably the source of many problems here. I have > filed a few bugs and most of then arent even checked. > To be fair & honest, im also guilty of that, b

Re: cert8.db rewrite reasons and exceptions?

On 2012-04-02 21:07, Robert Relyea wrote: > On 03/27/2012 01:00 AM, helpcrypto helpcrypto wrote: >> Cough, cough...exit(CKR_OK) != return CKR_OK...cough, cough >> Now cert8 is modified always (with or without our module). >> >> Anyway, can someone tell me why cert8 is rewrited on each run/close? >

Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox

It is hard to see that GUI changes would have any function except for the very few who understand the difference between roots and sub-CAs. It is similar to the EV green bar. It doesn't make any difference for "normal" people. The recent screw-ups didn't invalidate the system; it rather made the

Running NSS as a "Service"

After looking into several similar solutions including Gnome Keyring I wonder if it is not time for NSS transcending into a service rather than a library running in application context. Anyway, it seems pretty difficult adding a "trusted GUI" or "application ACL" support to NSS without a major red

Re: Developing pkcs11 module for Firefox

On 2012-01-05 02:45, Robert Relyea wrote: >> I am curious as to how smartcard management is supposed to work for Linux. >> It seems to me that it would be ideal for Firefox to support the shared DB >> on Linux. Are there OS-level tools for managing the shared DB. >> For example, is there an OS-le

Re: Developing pkcs11 module for Firefox

On 2012-01-03 23:44, Robert Relyea wrote: > On 12/30/2011 06:53 AM, Anders Rundgren wrote: >> On 2011-12-29 23:08, Brian Smith wrote: >>> Matej Kurpel wrote: >>>> On 22. 12. 2011 10:36, Imen Ibn Hotab wrote: >>>>> I`m developing pkcs#11 module for Firef

Re: Developing pkcs11 module for Firefox

On 2011-12-29 23:08, Brian Smith wrote: > Matej Kurpel wrote: >> On 22. 12. 2011 10:36, Imen Ibn Hotab wrote: >>> I`m developing pkcs#11 module for Firefox. > >> I was developing a PKCS#11 module as well. > > Just out of curiosity, what do your PKCS#11 modules do? > > Would it make things easier

Fwd: gnome-keyring Question about ACL per storage item

Naturally a system like described below must support an*/issuer-defined/* ACLs on enrolled keys... /a Original Message Subject:gnome-keyring Question about ACL per storage item Date: Thu, 20 Oct 2011 10:17:00 +0300 From: Elena Reshetova To: gnome-keyring-l...@gno

Token Provisioning in Firefox

Recently there has been some discussions in the IETF PKIX list regarding future enrollment systems including those in browsers. I remain confident that it is infeasible extending such a scheme to include smart cards since Certificate Enrollment and Token Provisioning are very different, even if

Re: NSS_NoDB_Init undefined refence ??

I would drop NSS and C programming; it is for experts only. Java is much easier and JCE is quite powerful and there are tons of code to google for. Anders On 2011-08-09 11:19, florent ainardi wrote: > hi again > i wrote this program > > #include > #include > > int main(int argc, char *argv[]

HTTPS client-certificate-authentication in browsers

Today's harvest :-) HTTPS client-certificate-authentication in browsers === I don't believe that TLS CCA (Client Certificate Authentication) in the form of HTTPS as implemented in current browsers has much of a future. In fact, quite a bunch of the

Re: DOMCrypt API developments

On 2011-06-21 11:18, Konstantin Andreev wrote: > [combining two cites to save space] > > On 21.06.11 00:48, Anders Rundgren wrote: >> >> We have both come to the conclusion that Firefox et al sucks since just >> about all serious users need to deploy plugins in order

Re: DOMCrypt API developments

On 2011-06-20 09:29, Jean-Marc Desperrier wrote: > Anders Rundgren wrote: >>> The webcrypto-api proposal is oriented around certificate/X509/smartcard >>>> PKI, I end up with the feeling the two proposal lives in different realms. >> http://html5.creation.net/web

Update: Browser Crypto Protocol Invocation

Some three years ago I published a proposal on how browsers could be extended with potentially more powerful, XML-centric variants of , signText(), CertEnroll, etc,. Given the recent work on JSON-based security-protocols in the IETF, as well as some old-timers clinging on to ASN.1, I have revised

Re: DOMCrypt API developments

On 2011-06-17 15:31, Jean-Marc Desperrier wrote: > David Dahl wrote: >>> I find this API effort very interesting, however I'm left with the feeling you wish to leave out the use of PKI elements. A really neutral API would work both with and without PKI. >> Public Key crypto is actually

Re: DOMCrypt API developments

On 2011-06-14 16:48, Jean-Marc Desperrier wrote: > David Dahl wrote: >> From: "L. David Baron" >> On Monday 2011-06-13 15:31 -0700, David Dahl wrote: In trying to get the word out about a browser crypto API I am championing (see: https://wiki.mozilla.org/Privacy/Features/DOMCryp

Re: keygen & CRMF on Firefox for mobile

On 2011-05-12 19:52, Honza Bambas wrote: > On 5/9/2011 10:52 PM, Michael Helm wrote: >> This flavor of firefox 4 >> Useragent string: Mozilla/5.0 (Android; Linux armv7l; rv:2.1.1) Gecko/ >> Firefox/4.0.2pre Fennec/4.0.1 >> (which can be installed on Android phones& tablets) >> seems to lack a func

PKIX enrollment activities

Dear NSSers, It seems that enrollment of credentials has finally gotten the attention it deserves: http://www.ietf.org/mail-archive/web/pkix/current/msg29024.html Anders -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Google's Chrome. Was: Root certificate authorities

On 2011-03-13 16:36, Honza Bambas wrote: > On 3/5/2011 9:22 PM, Nelson B Bolyard wrote: >> There's an unfinished set of code in Mozilla's CVS repository that >> implements a PKCS#11 module on top of MS CAPI, enabling access to certs >> and keys in Windows' cert and key stores. Read about it in >>

Why porting NSS to Android won't work

, you wouldn't be able to use it except through physical access to the device. Pardon for being a PITA but mobile phones should IMO not inherit all the legacy c**p we have in desktop systems. Anders Rundgren -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: TLS-SRP (was Re: J-PAKE in NSS)

On 2011-03-10 22:07, Brian Smith wrote: > "Jean-Marc Desperrier" wrote: >> The rule doesn't change so much : you still need to enter your >> password inside a secure element, ie if we teach user it's OK to >> enter their SRP password in a non secure GUI "because it won't be >> sent to the server"

Re: TLS-SRP (was Re: J-PAKE in NSS)

On 2011-03-10 09:32, Daniel Stenberg wrote: > On Wed, 9 Mar 2011, Anders Rundgren wrote: > >> It is too late introducing TLS-SRP, the market will not use it. > > Uh? There's not just one single market that will or won't use a particular > protocol feature. Ther

Re: TLS-SRP (was Re: J-PAKE in NSS)

It is too late introducing TLS-SRP, the market will not use it. Why not make NSS more useful for certificates instead? Anders On 2011-03-09 09:45, Jean-Marc Desperrier wrote: > Brian Smith wrote: >> An augmented PAKE user authentication protocol might be very useful >> for some things, but TLS-SR

Re: Personal crypto device (or smart card) success stories?

Aug 30, 2007 (!!!) Nelson Bolyard wrote: /NSS, the crypto software used in mozilla browsers and email clients, was one of the first adopters of PKCS#11, the interface standard for crypto devices like smart cards and USB crypto fobs. Network client products that use NSS have been able to work wit

NSTIC Update - Firefox Still Missing

http://www.nist.gov/nstic/video.html What this esteemed bunch of people may have overlooked, is that in a world hooked on on-line, the majority of actual uses-cases also presume on-line provisioned credentials directly to the end-user. However, there is no such system available today for the

Re: Two-factor auth for Bugzilla

Matej Kurpel wrote: On 3. 2. 2011 9:21, Anders Rundgren wrote: Matej Kurpel wrote: On 2. 2. 2011 13:37, Gervase Markham wrote: On 01/02/11 18:08, Matej Kurpel wrote: @Q4: I am doing this as my diploma thesis, it works for Windows Mobile phones/PDAs and is tested with Firefox and Thunderbird

Re: Two-factor auth for Bugzilla

Matej Kurpel wrote: On 2. 2. 2011 13:37, Gervase Markham wrote: On 01/02/11 18:08, Matej Kurpel wrote: @Q4: I am doing this as my diploma thesis, it works for Windows Mobile phones/PDAs and is tested with Firefox and Thunderbird. Certificate login works fine in Firefox. Can you tell us a bit

Re: Two-factor auth for Bugzilla

aerow...@gmail.com wrote: On Tue, Feb 1, 2011 at 1:19 PM, Marsh Ray wrote: On 02/01/2011 02:41 PM, Anders Rundgren wrote: What about the client cert in a smart card? That's old and standard and supported by Mozilla. I don't know what kind of prices you'd have to pay for s

Re: Two-factor auth for Bugzilla

Gervase, The ability to use a chip as holder of credentials for on-line providers like Bugzilla is unlikely to happen in a major way until there is an open solution for getting keys down into the chip/container that is: 1. Usable by non-experts 2. Is secure in such a way that banks could use it

Re: NSS SoftToken Capabilities

Robert Relyea wrote: Token provisioning is outside the PKCS #11 module. It uses global platform secure channels to communicate to the card. The APDU's are specific for the cards applet. Yes, and this is why Firefox and other browsers are slightly incompatible with the web from a client-side P

Re: NSS SoftToken Capabilities

Matej Kurpel wrote: On 4. 1. 2011 22:23, Robert Relyea wrote: On 01/03/2011 01:04 PM, Anders Rundgren wrote: Hi, I'm in the starting phase upgrading Firefox so that it can provision credentials in a way that that banks and governments require which among many things include E2ES (End-t

NSS SoftToken Capabilities

Hi, I'm in the starting phase upgrading Firefox so that it can provision credentials in a way that that banks and governments require which among many things include E2ES (End-to-End Security) and issuer- specified PIN-codes (or just policies for user-defined dittos). The plan is mainly focusing

On-line provisioning of keys in NSS

http://www.gsmworld.com/newsroom/press-releases/2010/5726.htm As I said a million times before, on-line provisioning of HW tokens is the future. My take on this subject is (still...) defining a standard container based on "Open Hardware" because E2ES (End to End Security) cannot be abstracted (d

Re: EC point compression

David Stutzman wrote: I'm assuming not based on my experience, but does NSS support point compression on EC keys? Dave Isn't that a thing that Certicom have patented? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: [seek-for-android] Re: Port Mozilla NSS/JSS to smart phone platform

May I comment a bit on this? msm Li wrote: Currently, the smartphone platform is lack of unified software/hardware security module. For example, iPhone stores certificates in the Keychain, BlackBerry stores certificates in BlackBerry device key store, Android has no such secure storage. True.

  1   2   3   4   >