Ryan Sleevi a écrit :
That was an interesting rant, thanks.
reliance on PKCS#11 means that there are non-trivial overheads when
doing something as simple as hashing with SHA-1. For something that is
such a simple transformation, multiple locks must be acquired and the
entire NSS internals
Robert Relyea a écrit :
- Original Message -
On Tue, 2013-02-26 at 17:05 -0500, Robert Relyea wrote:
http://pki.fedoraproject.org/wiki/ECC_Capable_NSS
Isn't it about time Red Hat started shipping non-crippled versions?
RFC 6090 is two years old now...
It's never been a technical
Anders Rundgren a écrit :
http://www.finextra.com/news/announcement.aspx?pressreleaseid=45624
Current platforms are useless for banking so what else could they do?
What role does the password serve here, except forcing me to create an
unrequired account by every merchant I decide to use ?
Erwann Abalea a écrit :
if Google could come up with an efficient mechanism so that
revocation is really checked, that's cool. The less than 100k is a
challenge, I'd like to see how it will be solved
The more since all those random serial numbers can't be compressed.
I wonder if he wasn't
Erwann Abalea a écrit :
Who will come with a 12-dan black bar UI?
That's a joke on the fact it goes full-cycle at 12-dan and we're back to
a white belt, right ? But double-width, so you *can* tell the difference
with the normal white bar ;-)
--
dev-tech-crypto mailing list
Hi,
Google just published the changes they are about to do in the revocation
checking in Chrome :
http://www.imperialviolet.org/2012/02/05/crlsets.html
In my opinion, maybe somewhat opposite to the way they describe it,
fundamentally they are not *at* *all* changing the standard PKI method
Robert Relyea a écrit :
7. libpkix can actually fetch CRL's on the fly. The old code can only
use CRL's that have been manually downloaded. We have hacks in PSM to
periodically load CRL's, which work for certain enterprises, but not
with the internet.
PSM's periodic CRL download's certainly
Brian Smith a écrit :
3. libpkix can enforce certificate policies (e.g. requiring EV policy
OIDs). Can the non-libpkix validation?
EV policy have been defined in a way that means they could be supported
by a code that handles an extremely tiny part of all what's possible
with RFC5280
Robert Relyea a écrit :
On 01/04/2012 05:56 PM, Brian Smith wrote:
Robert Relyea wrote:
On 01/04/2012 04:18 PM, Brian Smith wrote:
In the cases where you fetch the intermediates, the old code will not
work!
[...] I'm talking about
fetching intermediates themselves because they
Scott Thomas a écrit :
keygen name=spkac keytype=EC keyparams=secp384r1/
but the keys are not generated.
i have checked that ECC support from mozilla was removed, can any body
confirm it or tell the way how to enable it, ?
https://bugzilla.mozilla.org/show_bug.cgi?id=367577
Ideas / thoughts ??
David Dahl wrote:
I find this API effort very interesting, however I'm left with the
feeling you wish to leave out the use of PKI elements.
A really neutral API would work both with and without PKI.
Public Key crypto is actually the main use case of this API.
I meant more certificate/X509
David Dahl wrote:
From: L. David Barondba...@dbaron.org
On Monday 2011-06-13 15:31 -0700, David Dahl wrote:
In trying to get the word out about a browser crypto API I am
championing (see:
https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest
), I wanted to post here for
Kai Engert wrote:
I'm thinking the following could solve the problem
Please help me: which problem is it, that you want to solve, that isn't
yet solved by the current implementation?
Ease of use, understandability of the process for the average user.
Average users fills a form, and that's
Kai Engert wrote:
Another short note: The problem with solely distributing the S/MIME
certs is that a MUA does not have the S/MIME capabilities of the cert
owner's MUA. So the sender MUA might choose a weak symmetric cipher.
...
So the safest way is still to send a signed e-mail for
On 18/05/2011 19:25, Brian Smith wrote:
No, he meant dev.security
I could have been more explicit.
and he cross-posted and set the follow-up
header on his message to point to that newsgroup. I agree that if
there's any discussion, it can/should happen there.
But my message ended up with an
Brian Smith wrote:
See https://twitter.com/#!/scarybeasts/status/69138114794360832:
Chrome 13 dev channel now blocks certain types of mixed content by
default (script, CSS, plug-ins). Let me know of any significant
breakages.
See
Robert Relyea wrote:
One interesting
historical note is the final solution was based on a suggestion of one
Jean-Marc Desperrier;).
Well, when rereading that bug to check it all, I mistakenly thought that
NSS 3.9 was the first version with libpkix and that the change only
applied to libpkix
On 08/04/2011 19:31, Jay Garcia wrote:
Now let's see what turns up.
At this point, I can not reproduce the problem.
https://www.ausnetservers.net.au/webmail (as well as the others)
forwards to vps-serv-1.ausnetservers.net.au that times out.
However this happens after I've added the
This should be on crypto, not security, transferring. I have an hard
time testing it fully because of time-outs on vps-serv-1.ausnetservers.net
But the problem seems to be :
- With Firefox 4, adding an exception for a cert on domain X prevents
from continuing to accept this cert as valid on
Brian Smith wrote:
An augmented PAKE user authentication protocol might be very useful
for some things, but TLS-SRP seems very troublesome. IIRC, there are at
least four deal-breaking problems with TLS-SRP as a substitute for PKI:
I don't see it as a substitute for PKI, only as a substitute
Brian Smith wrote:
Jean-Marc Desperrier wrote:
[...] (I'd expect it instead to leave
the AES256 key inside NSS and just get back the handle to it to
encrypt what it needs later. [...]).
The kind of improvement you described above will be made to resolve
Bug 443386 and/or Bug 638966.
I
Robert Relyea wrote:
About the
only use I could reasonable see for it would be to support PKCS #11
modules.
The other use would be as an optimized base for a big num
implementation, and that's what the original distribution says : ANSI C
code library that performs arbitrary precision integer
Robert Relyea wrote:
So the end result : I see that J-PAKE code got included inside NSS
https://bugzilla.mozilla.org/show_bug.cgi?id=609076 with a layer to
access it from js (bug 601645). This was not announced here, and even
if it looked like Sync Would keep J-PAKE, I did not imagine
For context, from a message I wrote in last October :
Given the number of protocols that include SRP (SSL/TLS, EAP, SAML),
given that there's already a proposed patch for NSS (bug 405155, bug
356855), a proposed patch for openssl (
Hi,
There was some talk last october about accessing the mp_int API from
javascript, and so freezing it in order to make it available as a frozen
API.
Nelson concluded that the one difficult point would be to freeze the
mpdigit structure, since it currently has machine/processor-version
Gervase Markham wrote:
Are any of you interested in submitting a proposal for a Summer of Code
project for Bugzilla this year, and mentoring it?
https://wiki.mozilla.org/Community:SummerOfCode11:Brainstorming
NSS has done several projects in the past (recently, RSA-PSS signatures
and some TLS
Jean-Marc Desperrier wrote:
Especially the certlock Firefox extension they propose, which builds
upon Kaie's Conspiracy, but does something more sophisticated.
Unfortunately it seems it has not been made publicly available until now.
Coming back on that old message to say I just saw it's
Robert Relyea wrote:
We do not support a
binary compatible big num library interface, and that's what adding the
symbols to freebl is saying.
One month ago Nelson said he wasn't in principle against doing that,
taking into account making it cleanly definitively requires more work
and
On 11/11/2010 07:24, Nelson B wrote:
Today, there's no doubt. Moderation is really in effect.
Great to see that as I'm coming back online after a two weeks break.
[...] Finally I can be confident that readers of this list
will not be receiving spam through it ... (I think)
And the people
Matej Kurpel wrote:
In the Type field for S:, O:, OU: and CN: I always provided 0x0c which
is utf-8 string, but in the certificate there was 0x13 - printable
string. After I changed it - voila, it's working in Thunderbird, and
certutil doesn't crash anymore.
It sounds like a serious bug. Could
Brian Smith wrote:
Nelson B Bolyard wrote:
[...]
I'm talking about putting JBAKE (or whatever it is) into the base product.
[...]
Is there something specific about J-PAKE that you think is bad or
worse than some alternative? Are you objecting to J-PAKE because you do
not trust the
Brian Smith wrote:
A balanced scheme is actually better for Sync because we are asking
the user to read a code from the screen of device 1 and type it into
device 2. Both devices need the same psssword/PIN.
The augmented scheme of SRP can be degraded to a balanced scheme if you
need. It's
On 22/10/2010 19:07, Brian Smith wrote:
Speaking only for myself, I have no objection to offering the mp_int
bignum API as a public API out of freebl3.
If people are open to having the J-PAKE building blocks in FreeBL,
then we wouldn't need MPI to be part of the public API. The main concern
Brian Smith wrote:
Jean-Marc Desperrier wrote:
Why are you choosing J-PAKE instead of SRP ?
The J-PAKE authors claim they developed J-PAKE to avoid patents that
cover other algorithms, and they claim they won't patent it. I don't
know if either claim is true or not.
The reference I gave
Philipp von Weitershausen wrote:
Not sure how generic the signature of the zero knowledge proof we use
in J-PAKE is. Compatibility with the implementation found in OpenSSL
is important for us right now
Hi,
Why are you choosing J-PAKE instead of SRP ?
Looking for an assessment of J-PAKE
Felix Alejandro Prieto Carratala wrote:
I also try this:
[...]
//pk is a org.mozilla.jss.crypto.PrivateKey that i get with
//CryptoManager.findPrivKeyByCert(cryptoManager.findCertByNickname(nickName));
Why is that line commented out ? Do you test you get a valid pk handle
out of
Stephen Shankland wrote:
I've now located the blacklist file, which at present has 661 sites
blacklisted, so I suspect you guys are right on that basis, too.
The way it was written on Langley's blog, one could easily think they
had used the method of calculation that gave a better looking
Hi,
Google is currently communicating about how they will use SSL False
Start to accelerate the web, even if it means breaking a small
fraction of incompatible site (they will use a black list that should
mitigate most of the problem).
See http://news.cnet.com/8301-30685_3-20018437-264.html
On 19/08/2010 22:44, Nelson B Bolyard wrote:
Support for NSS on device OSes (such as cell phone OSes) is provided by
various teams that are adapting Firefox to run on those devices. Mozilla
has a team that does that and I suspect they could help you
Maybe they couldn't. That's a JSS problem,
waldemar.ko...@max.com.pl wrote:
Unfortunately i don't :( and it's out of
http://releases.mozilla.org/pub/mozilla.org/firefox/releases/. Could you
provide me with the link if it exists elsewhere ?
It's here :
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/
But the fact
Nelson B Bolyard wrote:
Fame and Glory await.:-)
Which means a mention in http://www.mozilla.org/credits/ or about:credits :
We would like to thank our contributors, whose efforts make this
software what it is. [...]
Any such contributors who wish to be added to the list should send
mail
Šandor Feldi wrote:
I do get multiple certificate selection dialogs in sequence at SSL
session start...so I have to reselect the same cert, say twice...
I enter the https of the target site, I get asked about the cert - I
select it, then the site displays my info and offers me anenter
site
Eddy Nigg wrote:
Isn't this actually a sign that the technology works? I mean, 100% false
positives means literally 100% success.
Shit no !
The higher the false positive rate, the more acute the failure.
People will trust and respect the warning *only* if there's a very low
rate of false
Marsh Ray wrote:
What do you propose other than not letting the user bypass
the cert error page at all?
Investing some serious time enhancing those errors.
Or investing some serious time evangelising the SSL site owners into
using a real certificate.
But the statu quo doesn't work.
Eddy Nigg wrote:
- Do other applications (like thunderbird and other mail), would make
sure that they search through all the e-mail addresses to look for a
match?
Yes, this appears to be the case.
IIRC, they do but they are some place where only one adresse will be
printed, the first of
On 12/04/2010 15:29, Eddy Nigg wrote:
updated servers need updates clients and break older ones, whereas old
servers will not allow new clients.
I haven't seen one yet, that doesn't have a flag to accept older
clients. If you set that flag, *and* disable renegotiation at least for
older
On 31/03/2010 17:11, Kaspar Brand wrote:
On 31.03.2010 07:49, Michael Ströder wrote:
It seems it's a CMS structure and recipientInfos contains subject key ids
instead of issuerAndSerialNumber. It seems Seamonkey 2.0.x does not support
that. Is it supported by the underlying libs?
I believe
Matt McCutchen wrote:
On Apr 6, 5:54 am, Jean-Marc Desperrierjmd...@gmail.com wrote:
Matt McCutchen wrote:
An extended key usage of TLS Web Server Authentication on the
intermediate CA would constrain all sub-certificates, no?
You are here talking about a proprietary Microsoft
Matt McCutchen wrote:
An extended key usage of TLS Web Server Authentication on the
intermediate CA would constrain all sub-certificates, no?
You are here talking about a proprietary Microsoft extension of the X509
security model.
--
dev-tech-crypto mailing list
Matt McCutchen wrote:
A name-constrained intermediate certificate could be quite convenient
for the large organizations that are presently demanding their users
to trust private CAs for the whole Web (see bug 501697).
Ah ! The direction of restricting people who currently use sub-CA for
their
On 04/04/2010 08:32, Matt McCutchen wrote:
[...]
It would be great if a Mozilla-recognized CA would be willing to give
me, as the registrant of mattmccutchen.net, an intermediate CA
certificate with a critical name constraint limiting it to
mattmccutchen.net.
I don't believe this taking a
On 02/04/2010 18:25, johnjbarton wrote:
The appropriate way to address this security problem starts by
contacting the major providers of server software
There's no need to contact them, they are well aware of the problem.
AFAIK they have all already issued the necessary updates.
It's the
johnjbarton wrote:
Closely related to bug 554594 is
https://bugzilla.mozilla.org/show_bug.cgi?id=535649
Web developers using Firefox Error Console or tools like Firebug that
use nsIConsoleService are now bombarded with pointless messages like:
services.addons.mozilla.org : potentially
Kurt Seifried wrote:
Is this another 1st of April joke? At least your timing is a bit
questionable;-)
No this is not an April fools joke. The PDF at Linux Magazine is what
will be in the print copy (due out in 3 weeks I believe)
Kurt, the best group for sending this and also to continue the
The most adequate group for this discussion would be mozilla.dev.tech.crypto
I agree than enhancing generateCRMFRequest to let it generate a more
usual format instead of only CRMF would be a big step forward.
And making more obvious that keygen is not a good long term solution is
a very good
Eddy Nigg wrote:
On 03/30/2010 01:23 PM, Jean-Marc Desperrier:
And making more obvious that keygen is not a good long term solution
is a very good thing.
Only in case the alternative will be supported by all or most browsers.
The original message shows that the fact keygen imposes a text
Hanno Böck wrote:
[...]
Firefox release source bundles nss, but it's good linux distribution policy to
avoid bundled libraries, so this shouldn't happen.
Maybe in general, but in this case what you really want is the NSS
version that's used by Firefox.
I think what the process guarantees is
Jean-Marc Desperrier wrote:
Article on Wired here :
http://www.wired.com/threatlevel/2010/03/packet-forensics/
The original article is well worth reading also :
http://files.cloudprivacy.net/ssl-mitm.pdf
Especially the certlock Firefox extension they propose, which builds
upon Kaie's
On 27/03/2010 11:59, Hanno Böck wrote:
I'm not sure if you're aware of that issue, but as firefox 3.6.2 needs nss
3.12.6 and there's no release tarball yet
You are two days late :
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_6_RTM/src/
Dated from the 25 of march.
Gregory BELLIER wrote:
Jean-Marc Desperrier a écrit :
Wan-Teh Chang wrote:
You can use the NSS command-line tool 'ssltap' to inspect the SSL
handshake
messages:http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
It's significantly easier to do it with Wireshark.
Is it easier
Emmanuel Dreyfus wrote:
So as I understand, it is not implemented yet. This is a quite
disapointing, since the documentation does suggests it is fully
supported. This should be updated.
Just get a login on MDC :-)
Now that I wrote the code in C for producing a base64 encoded
Wan-Teh Chang wrote:
Please use the official page instead:
https://wiki.mozilla.org/Community:SummerOfCode10
But only when a mentor can be immediately identified !
I have another idea, but I don't believe any sponsor/mentor can be found.
The S/MIME code in Thunderbird was written before an
Gregory BELLIER wrote:
As I said I would do, I looked every where in the code where the word
camellia appears and my code is very much alike. I really don't know.
Did you have a look at a Wireshark capture of it ?
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
Wan-Teh Chang wrote:
Implementing RSA-PSS should be a good SoC project. If it turns out
to be too little work, you can always implement the related RSA-OAEP
encryption.
Another good SoC project might be to add support for TLS 1.2 and SHA256
based TLS crypto suites, no ?
Updating the PRF to
Nelson B Bolyard wrote:
When the user says I
want to clear my current session, which of those SSL sessions
does he mean?
The server whose name appear in his URL bar.
Anyway if PSM does not expose a jave script method for accessing the
clear cache command, I'm sure kai or myself would be
Chris Hills wrote:
Perhaps there is place for a fork of firefox (perhaps an enterprise
version) that uses the windows certificate store and dispenses with the
local certificate store. I understand that support for MSI installation
is already being worked on.
I think it would make much, much
Nelson B Bolyard wrote:
it has exposed an unrelenting amount of accusation without
evidence. Show us a single falsified certificate. Anything less is
unworthy of this forum.
A large amount of that. But not necessarily exclusively.
There is in what has been reported one fact that has merit
Gregory BELLIER wrote:
Ok, so it's still sha1 by default for S/Mime ?
Is it also sha1 by default for TLS ?
TLS depends on the cipher-suites, and fortunately it's not hard-coded.
Unfortunately, the first cipher suites using SHA256 are the one defined
in TLS1.2 (RFC5246), and I believe the
Wan-Teh Chang wrote:
But Michael Wu of Mozilla just started porting NSPR to Android.
So I expect NSS will be ported to Android soon.
Sorry if that's slightly off-topic, but what crypto layer does the
Androïd browser use then ?
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
On 20/02/2010 03:25, Eddy Nigg wrote:
Apache performs a renegotiation when none is needed when configuring
client authentication at a particular location, is there a logical
explanation for that? Or even considered correct implementation?
Yes, there's a logical explanation and Apache is doing
Eddy Nigg wrote:
Trying the different sub domain trick doesn't work on the same server
but different host and IP.
Let me phrase this explicitly :
- You use only one Apache instance
- You configured two virtual hosts inside that instance
- Then :
- either each virtual host listens on
Michael Ströder wrote:
This is because some influential people consider:
* S/MIME caps are just a part of mail security protocol
Which is IMO complete non-sense.
Yes, and I don't believe this is the major reason why it's not possible
in Seamonkey/Thunderbird.
The main reason is that
Eddy Nigg wrote:
Trying the different sub domain trick doesn't work on the same server
but different host and IP. I assume that's because the server reuses the
cached SSL session and initiates a renegotiation upon certificate
authentication. Does that make sense so far?
I just tried
Eddy Nigg wrote:
On 02/14/2010 07:28 PM, Daniel Veditz:
[...] Firefox settings are currently extremely
permissive,
[...] it's breaking the client certificate authentication of a
couple of ten thousands of active user accounts at StartSSL. I take it
as a reward for being the only CA protecting
Hi,
On
https://developer.mozilla.org/en/NSS_reference/NSS_cryptographic_module
page, there's a link for NSC_ModuleDBFunc but it points nowhere.
Was the doc never written, or did it get lost in some reorganization of
the site ?
--
dev-tech-crypto mailing list
Nelson B Bolyard wrote:
For over 13 years now I've been employed to work full time as a developer
of NSS and NSPR, but beginning in January 2010, I shall have a new job
where NSS is not part of my job description.
Good luck in that, Nelson.
--
dev-tech-crypto mailing list
Eddy Nigg wrote:
Interestingly I /think/ NSS is the only library which really has a
problem with it, to all of my knowledge (and I might be wrong with that)
You might. Openssl (therefore mod_ssl, etc.) also has a problem when it
doesn't match. I think most other library also have a problem
Nelson B Bolyard wrote:
CAs that
make this mistake typically have to abandon and completely replace their
entire PKI (entire tree of issued certificates) when a CA cert expires and
its serial number appears in the AKI of other subordinate certs. More than
once I've seen entire corporate PKIs
Maciej Bliziński wrote:
I'd like to pass the -L and -R flags via environment
variables
For anyone else, CSW packages use this to tell the builds to use
/opt/csw/lib to locate their dependencies.
What's the best way to make the NSS build read LDFLAGS and LD_OPTIONS?
That's a very valid
Udo Puetz wrote:
I think (and from googling also quite a lot of other people too) that
you should use the stores that are available on that platform.
I fully agree with that. And just keep a manual option to do otherwise
for those who don't want their security component to rely on a Microsoft
Udo Puetz wrote:
I've recently written about a windows firefox hardware token problem
(see list) and didn't get a solution before the discussion drifted off
into universalities. Problem not solved, customer unhappy and us too.
It's easy for discussiosn in a list such as this one to drif off,
Michael Ströder wrote:
- add a time-stamp and update the S/MIME capabilities
and timestamp whenever a new S/MIME message is received.
- use the cert extension solely when no signed S/MIME message was received
so far or the notBefore date of the e-mail cert is newer than the
timestamp of the last
Anders Rundgren wrote:
we see the start of going out of that through the European Citizen Card
(ECC) standard CEN TS 15480
This is something I really hate:
http://www.evs.ee/product/tabid/59/p-165216-cents-15480-22007.aspx
Paying for *open* standards!
In fact, I'm not sure I directed you to
Kyle Hamilton wrote:
I'm not aware of any such profile. There is smart card profile
but I doubt it has much to do with PKCS #11, it is rather about
7816.
You're right, PKCS#11.
http://www.usb.org/developers/docs/EH_MR_rev1.pdf
But what is 7861?
He's refering to ISO7816, the set of
Nelson B Bolyard wrote:
If Microsoft has merely taken a DER-encoded object from another standard
and has incorporated it into a cert extension, that seems fine to me.
I hope they did it in such a way that existing BER/DER parsers of the
sMIMECapabilities attribute can just parse the extension
Nelson B Bolyard wrote:
Does this assume LDAP for acquiring the certificate without a signed
S/MIME message? (So it is only relevant in corporate setting?)
No. There are many ways to get a cert for an email correspondent.
There is only one way to get that correspondent's email
Nelson B Bolyard wrote:
if you send an encrypted message to
someone from whom you have never received a signed S/MIME message, you will
use weak encryption.
Thank you for this useful description.
I feel it would make sense to open a bug to change this default.
Rational : If someone went the
Arshad Noor wrote:
The reason we use the PKCS#8 format is only because, in the multi-step
process of generating a key-pair, creating a CSR and getting a digital
certificate from an internal/external CA, the private-key needs to be
temporarily stored securely until a CA issues the digital
Nelson B Bolyard wrote:
Is that python code? I thought it was JavaScript.
Yes, you're right, I had a really too quick look at it :-)
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
starryrendezv...@gmail.com wrote:
hash: function(str,method) {
[...] str.charCodeAt(i)
python quite probably outputs the value of str.charCodeAt(i) as some
variant of a UTF-16 value. Or UCS-2 with no handling of surrogates.
Under which format is the string inside the file that md5sum
Ludovic Hirlimann wrote:
Often we get issue that involve certificates, or crypto errors. Are
there any ways to log what PSM or NSS do the way we can log other
protocols - I haven't found anything in the documentation
I'm a bit surprised. If you know how to log other protocol, you know the
Eddy Nigg wrote:
Adding parameters which adds additional control such a policies and
forcing of smart cards (storage device) would be extremely helpful, once
you get to add some features.
No, the keygen tag is just too bad to be updated to something really useful.
crypto.generateCRMFRequest
Nelson B Bolyard wrote:
The problem is in the way that Mozilla builds JEMalloc for FF on Windows.
They build a replacement for the Microsoft C RunTime Library. This
replacement is a hybrid, built in part from JEMalloc source code, and in
part from Microsoft's source code for MSVCRT, which
Robert Relyea wrote:
[...] At the
cost of about 20 bytes per client you would rather chew up CPU and
network resources?
It's very far from being that small usually. It can't be that small if
client authentication is used.
There's an extension to TLS to offset the cost to the client (the
Peter Lind Damkjær wrote:
Varga Viktor wrote:
snip
OCSP request with multiple certificate from different CA
--
The RFC has the possibility to send multiple certificate serial number into
OCSP request. It is not defined that allowed or not, to put two certificate
serial number,
Kyle Hamilton wrote:
[...] this CA in question is not generating improper
certificates. It is generating proper CRLs, and it is simply encoding
and transmitting them as PEM-encoded DER-encoded CRL structures when
RFC5280 (which, by the way, I've been repeatedly told that NSS does
*NOT* comply
Nelson B Bolyard wrote:
Kathleen Wilson wrote, On 2009-02-24 12:21:
* CRL issue: Current CRLs result in the e009 error code when
downloading into Firefox. ComSign has removed the critical flag from
the CRL, and the new CRLs will be generated in April.
Was that with FF 2? FF 3 should
Eddy Nigg wrote:
On 02/25/2009 08:31 PM, Gervase Markham:
On 23/02/09 23:54, Eddy Nigg wrote:
[...]
Only CAs are relevant if at all. You don't expect that 200 domain names
were registered by going through anti-spoofing checking and measures, do
you?!
[...]
Outsh, sorry! That should have
Jean-Marc Desperrier wrote:
[...]
With FF 3.2a1pre latest nightly the result of dropping the URL
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl on a browser window
is :
The application cannot import the Certificate Revocation List (CRL).
Error Importing CRL to local Database. Error
Paul Hoffman wrote:
At 7:09 AM +0100 2/24/09, Kaspar Brand wrote:
Kyle Hamilton wrote:
Removal of support for wildcards can't be done without PKIX action, if
one wants to claim conformance to RFC 3280/5280.
Huh? Both these RFCs completely step out of the way when it comes to
wildcard
1 - 100 of 194 matches
Mail list logo