Thanks Nelson for explaining this.
I also understand your worries regarding what to sign and I would
be very dishonest if I said I have "solved" it. In fact, my design
doesn't even address this issue (!) except that if of course builds
on the assumption that at least the "viewer" works as expecte
Hi,
Hans Petter Jansson schrieb:
>>> This database only fails to migrate if the target database was not
>>> already created by another, successful merge, though.
>
>> I think you're saying that the failures only occur if the "target" (cert9)
>> DB doesn't already exist when your program is run, b
Anders Rundgren wrote:
I also understand your worries regarding what to sign and I would
be very dishonest if I said I have "solved" it. In fact, my design
doesn't even address this issue (!) except that if of course builds
on the assumption that at least the "viewer" works as expected.
Now, w
Nelson Bolyard wrote:
Eddy Nigg wrote:
On 11/19/2008 05:52 PM, Anders Rundgren:
In the meantime, wouldn't it be of some value if Mozilla tried to
satisfy a PKI-
related activity that in number of users, already is much bigger than
S/MIME,
i.e. the concept of "Web Signing"?
What is this suppose
Anders Rundgren wrote:
I also understand your worries regarding what to sign and I would
be very dishonest if I said I have "solved" it. In fact, my design
doesn't even address this issue (!) except that if of course builds
on the assumption that at least the "viewer" works as expected.
But i
Nelson Bolyard wrote:
Eddy Nigg wrote:
On 11/19/2008 05:52 PM, Anders Rundgren:
In the meantime, wouldn't it be of some value if Mozilla tried to
satisfy a PKI-
related activity that in number of users, already is much bigger than
S/MIME,
i.e. the concept of "Web Signing"?
What is this suppose
Ian G wrote:
Nelson Bolyard wrote:
Eddy Nigg wrote:
On 11/19/2008 05:52 PM, Anders Rundgren:
In the meantime, wouldn't it be of some value if Mozilla tried to
satisfy a PKI-
related activity that in number of users, already is much bigger than
S/MIME,
i.e. the concept of "Web Signing"?
What i
Ian G wrote:
Um. So these tools organise a signature from a client cert over the
text in the form text box, and then post the signature up to the server?
The crypto.signtext() function is given a text string, and the browser
UI pops up a dialog box that invites the user to read the text, and
Responding to two at once!
Graham Leggett wrote:
Anders Rundgren wrote:
I also understand your worries regarding what to sign and I would
be very dishonest if I said I have "solved" it. In fact, my design
doesn't even address this issue (!) except that if of course builds
on the assumption th
Ian G wrote:
OK, that's interesting but equally worrying that the business people
were asking that question, above all others. If so, this would suggest
to me that your business people had spent too long in the fluffy "do
what lawyers say" world, and had forgotten they had a business to run?
On Nov 19, 2:27 am, Eddy Nigg <[EMAIL PROTECTED]> wrote:
> On 11/19/2008 01:59 AM, kgb:
>
> Hi Kevin,
>
> > WISeKey has made some changes to its practices, since the last public
> > discussion period.
>
> I'm glad to hear that! Can you point to what specifically has been
> changed since then?
>
Hi Eddy,
On Nov 19, 3:14 am, Eddy Nigg <[EMAIL PROTECTED]> wrote:
> Frank:
>
> TheWisekeycase could be where we might draw the line. Provided that
>
> - there is a *good compelling reason* for using sub-ordinate
> certificates in first place, limited to the domains under the control of
> the owner
Graham Leggett wrote:
Ian G wrote:
Um. So these tools organise a signature from a client cert over the
text in the form text box, and then post the signature up to the server?
The crypto.signtext() function is given a text string, and the browser
UI pops up a dialog box that invites the use
Ian G wrote:
This requires a client-certificate HTTPS connection to the webserver
to make it happen?
No, this can happen over an insecure http connection. The connection
between the browser and server has nothing to do with the
crypto.signtext() function.
Typically, you would probably want
Have you looked into this paper?
http://webpki.org/papers/wasp/wasp-faq.html
Unfortunately I believe there are too many uncoordinated views on this matter
to return a fruitful discussion but let me tell you how it works in Sweden: In
Sweden all the banks supply proprietary signature clients tha
Eddy Nigg wrote:
The Wisekey case could be where we might draw the line.
I'm not sure exactly which message (of mine or someone else's) you're
responding to.
In any case I don't think there's a "bright line" between the various
scenarios involving independently-operated subordinate CAs. How
Ian G wrote, On 2008-11-20 07:53:
> Graham Leggett wrote:
>> Having designed a system that includes "web signing" using
>> crypto.signtext() for an insurance company to handle claim approvals, I
>> can tell you that the primary question of the business people who used
>> the system was "just wha
On 11/20/2008 10:21 PM, Frank Hecker:
Eddy Nigg wrote:
The Wisekey case could be where we might draw the line.
I'm not sure exactly which message (of mine or someone else's) you're
responding to.
I refereed to the general discussion about sub roots.
In any case I don't think there's a "br
On 11/20/2008 06:34 PM, kb:
Probably the most important change in stated practice, is that it is
reflected that every CA is audited at least once annually. This is the
case for all active CAs.
Kevin, thanks for clarifying this. It indeed was one of the concerns
raised last time.
The com
Ian G wrote, On 2008-11-20 06:04 PST:
> Nelson Bolyard wrote:
> Um. So these tools organise a signature from a client cert over the
> text in the form text box, and then post the signature up to the server?
Well, I can only speak for what Mozilla browsers do. They generate a
"document" that co
Hi Nelson, welcome to this fun debate :)
Nelson B Bolyard wrote:
Ian G wrote, On 2008-11-20 07:53:
Graham Leggett wrote:
Having designed a system that includes "web signing" using
crypto.signtext() for an insurance company to handle claim approvals, I
can tell you that the primary question o
Hi folks. I'm having some trouble using CERT_ImportCerts.
A minimal demo of the problem is at
http://kegel.com/cert-import-demo.cc
All this does is take a base 64 cert, decode it, and import it.
I have verified with the sequence
$ mkdir ~/.netscape
$ certutil -N
$ certutil -A -n foo -t "p,p,p"
On Nov 20, 4:23 pm, DanKegel <[EMAIL PROTECTED]> wrote:
> First problem:
> Decoding fails because NSSBase64_DecodeBuffer appears
> to barf on the trailing ---END CERTIFICATE---.
> Am I using this function properly? It seems to have
> code to skip trailing garbage, but evidently it's
> too fragile
Wolfgang Rosenauer wrote:
Hi,
Hans Petter Jansson schrieb:
This database only fails to migrate if the target database was not
already created by another, successful merge, though.
I think you're saying that the failures only occur if the "target" (cert9)
DB doesn't already exist wh
Ian G wrote:
That wasn't my question. Here's my question again: How do you show any
person afterwards that the person signed it?
I mean: how does Alice look tomorrow in this system to see what she
signed? Next year? How does Bob look next year to see what Alice
signed? How does Trent, s
DanKegel wrote, On 2008-11-20 16:23:
> Hi folks. I'm having some trouble using CERT_ImportCerts.
> A minimal demo of the problem is at
>http://kegel.com/cert-import-demo.cc
> First problem:
> Decoding fails because NSSBase64_DecodeBuffer appears
> to barf on the trailing ---END CERTIFICATE---
On Nov 20, 6:14 pm, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
> When I change the sample program so that cert_text no longer contains
> the -BEGIN and -END lines, and so that the value assigned to
> len no longer includes the trailing NUL character, then when I run
> the program, it outpu
Robert Relyea wrote:
Ken wrote:
2008/11/15 Robert Relyea <[EMAIL PROTECTED]>:
NZzi wrote:
Robert Relyea wrote:
NZzi wrote:
hi all:
I want to use private key to encrypt a message,
and decrypt with public key.
Are you encrypting data or a symmetric Key?
Most of
28 matches
Mail list logo
