Re: NSS support for RFC7512 PKCS#11 URIs

On Fri, 1 May 2015, David Woodhouse wrote: On Fri, 2015-05-01 at 11:35 +0100, Alan Braggins wrote: On 30/04/15 17:56, David Woodhouse wrote: Has anyone looked at implementing RFC7512 support, allowing an object to be specified by a PKCS#11 URI? I don't suppose you know why RFC 7512 uses

Re: Problems with FF and internal certificates

Posting to mozilla-dev-tech-crypto instead. firefox-dev to bcc. On Apr 27, 2015, at 2:03 PM, Michael Peterson michaelpeterson...@gmail.com wrote: Firefox does not like our internal certificates. I'm trying to figure out why... tl;dr - Our internal IIS servers, signed with our

Re: Problems with FF and internal certificates

On Friday 01 May 2015 12:11:00 Tanvi Vyas wrote: On Apr 27, 2015, at 2:03 PM, Michael Peterson michaelpeterson...@gmail.com wrote: Firefox does not like our internal certificates. I'm trying to figure out why... tl;dr - Our internal IIS servers, signed with our internal CA,

Re: NSS support for RFC7512 PKCS#11 URIs

On 05/03/2015 02:17 AM, David Woodhouse wrote: On Sat, 2015-05-02 at 18:33 -0700, Jan Pechanec wrote: On Fri, 1 May 2015, David Woodhouse wrote: On Fri, 2015-05-01 at 11:35 +0100, Alan Braggins wrote: On 30/04/15 17:56, David Woodhouse wrote: Has anyone looked at implementing RFC7512

Re: Problems with FF and internal certificates

On Fri, May 1, 2015 at 9:11 AM, Tanvi Vyas tv...@mozilla.com wrote: On Apr 27, 2015, at 2:03 PM, Michael Peterson michaelpeterson...@gmail.com wrote: Now, in the album I posted above (https://imgur.com/a/dmMdG), the last two screenshots show a packet capture from Wireshark. It appears that

Re: Problems with FF and internal certificates

On 05/04/2015 10:09 AM, Brian Smith wrote: On Fri, May 1, 2015 at 9:11 AM, Tanvi Vyas tv...@mozilla.com wrote: On Apr 27, 2015, at 2:03 PM, Michael Peterson michaelpeterson...@gmail.com wrote: Now, in the album I posted above (https://imgur.com/a/dmMdG), the last two screenshots show a

Re: NSS support for RFC7512 PKCS#11 URIs

On Mon, 2015-05-04 at 09:21 -0700, Robert Relyea wrote: So in NSS, CKA_LABEL is simply a short cut to CKA_SUBJECT. That is NSS looks up a cert from the nickname and picks all the certs that match that cert's subject. Hm... so if I have two certificates; one with: CKA_SUBJECT: My CA

Re: NSS support for RFC7512 PKCS#11 URIs

On Mon, May 4, 2015 1:25 pm, David Woodhouse wrote: Surely that's not unique? Using the above example, surely the first certificate issued by the 2010 instance of 'My CA', and the first certificate issued by the 2015 instance, are both going to have identical CKA_ISSUER and

Re: NSS support for RFC7512 PKCS#11 URIs

On Mon, May 4, 2015 1:25 pm, David Woodhouse wrote: Surely that's not unique? Using the above example, surely the first certificate issued by the 2010 instance of 'My CA', and the first certificate issued by the 2015 instance, are both going to have identical CKA_ISSUER and