Re: OCSP with proxies, changes to NSS, and to SSL in PSM

2006-02-02 Thread Kai Engert
of unwinding our blocking NSS APIs from Necko, so we can use Necko while we are blocked. Kai Jean-Marc Desperrier wrote: Kai Engert wrote: Did you produce an application that includes not just NSS, but also PSM and it's additional SSL layering? If your own application using PSM is not yet

Please help testing SSL in Mozilla clients

2006-02-02 Thread Kai Engert
, Thunderbird and Semonkey for Linux, Mac OS X and Win32 available. (All names are trademarks of their respective owners) http://kuix.de/mozilla/ocspproxy/20060202/ Please feel free to provide feedback by private mail (kengert@), all comments are highly welcome. Thanks and Regards, Kai Kai Engert

Re: Retrieving server certificate from within plug-in code

2006-03-10 Thread Kai Engert
Nelson B wrote: Philip Hoyer wrote: I was wondering if it is possible to get hold of, within a Firefox plug in code or Javascript, the certificate of the server of the SSL session (one way) of the page on which the plug in or script resides. So basically 1) URL typed into browser

Re: certificate requirements for crypto.signText

2006-04-11 Thread Kai Engert
Kai Engert wrote: Jean-Marc Desperrier wrote: I don't know where Bob's message appeared originally. It's not on the newsserver, on google or my mail (might be the fault of the strong filtering on alussinan.org). Bob sent his message to the dev-tech-crypto mailinglist that is supposed

Re: hashing without calling NSS_Init()?

2006-05-19 Thread Kai Engert
Wan-Teh Chang wrote: So, if the app has already initialized NSS, you just go ahead and use NSS functions. Else, you have to initialize NSS (in the no database mode) first, and have to shut down NSS. This sample code assumes that this thread is the only thread that may initialize NSS in the

Re: hashing without calling NSS_Init()?

2006-05-19 Thread Kai Engert
Brian Ryner wrote: I'll do some profiling to make sure it's the DB initialization that's causing the performance hit. I guess maybe I should have mentioned that I'm currently using these methods through the nsICryptoHash XPCOM wrapper. I recommend that you continue to use this API. Using

Re: hashing without calling NSS_Init()?

2006-05-19 Thread Kai Engert
will be available to Firefox, eg. all SSL connections will fail due to the lack of trusted CA certs. I can't help you with which PSM functions you need to call to ensure that PSM is initialized unfortunately, but Kai Engert should know the answer. PSM will get initialized automatically at the time

Re: OCSP/CRL handling in Firefox

2006-08-08 Thread Kai Engert
Nelson B Bolyard wrote: Presently, A user must initiate the first fetch of a CRL from the CA. CRLs are fetched asynchronously from cert chain validation. CRLs are stored on disk locally, IIRC. After fetching the first one, mozilla clients will fetch subsequent CRLs automatically on a periodic

Re: Multiple certificate databases with NSS 3.11

2006-09-12 Thread Kai Engert
Bob Relyea wrote: Matthew Gertner wrote: We want our extension to have its own certificate database, separate from the one used by Firefox. Apparently this will be possible with NSS 3.11, but I was told that there might be an issue with the internal data structures. If PSM handles global

Re: Mozilla's use of AIA caIssuers URIs

2006-09-26 Thread Kai Engert
Both your root.cert and cacert.cert seem to have same serial number and issuer. That is forbidden. But even if your certs had unqiue serial numbers, I don't know whether NSS would be able to fetch that intermediate dynamically from the web. I doubt it. Kai Anders Rundgren wrote: The

Re: Turning on OCSP verification generates many errors

2007-04-16 Thread Kai Engert
[EMAIL PROTECTED] wrote: On Mar 30, 7:13 pm, Bill Burns [EMAIL PROTECTED] wrote: Yes -- and we'll have screen shots of example websites that are throwing OCSP-related errors because some well-known public CAs cough are not scaled up to fully support OCSP. With Vista, this is going to be

Re: Is there a way to serialize an nsNSSCertificate to disk?

2007-07-12 Thread Kai Engert
Boris Zbarsky schrieb: I'm not sure what parts of the CERTCertificate are needed for this; I'm hoping someone here will know. I would propose you always save the full CERTCertificate. I would prefer that we avoid having to implement special code for an after-restore scenario where only

Re: Is there a way to serialize an nsNSSCertificate to disk?

2007-07-13 Thread Kai Engert
Boris Zbarsky schrieb: Kai Engert wrote: nsIX509Cert expects the underlying CERTCertificate to be complete and valid, and serializing/restoring it based on the DER representation will ensure it. The message I got from Nelson's reply is that the DER representation doesn't actually

Re: Debug build

2008-05-14 Thread Kai Engert
I have one on my local system. Kai Eddy Nigg (StartCom Ltd.) wrote: Has anybody a debug build running somewhere as described at http://wiki.mozilla.org/PSM:EV_Testing ? I'd like to ask for a small favor before tinkering with my own build... ___

Re: Debug build

2008-05-16 Thread Kai Engert
Eddy Nigg (StartCom Ltd.) wrote: For the sport I'm following http://wiki.mozilla.org/PSM:EV_Testing and I'm not sure about the fourth paramenter of the test_ev_roots.txt file: 4_serial The page says: One noteworthy detail are the issuer and serial number fields, those most be

Re: https flow

2008-06-24 Thread Kai Engert
Pawel P wrote: I want to overwrite default mozilla 1.9 behavior in https flow. I want to be informed about certificates (especially bad). I'll show my own certificate dialogs to user and user will decide if accept certificate or not. In mozilla 1.8 I used nsIBadCertListener interface to do

Re: jss and new libraries in ff3

2008-06-24 Thread Kai Engert
Abraham wrote: I deployed an applet that uses jss in order to get certs (and associated private keys) on firefox keystore and sign electronic documents. The applet works well in Firefox 2, but in Firefox 3 the browser crashes when my implementation of PasswordCallback provides the token

Re: A general question about libnss3

2008-07-18 Thread Kai Engert
Ruchi Lohani wrote: Hi, Can anybody tell me something about the various nss packages that are there in ubuntu (hardy). I see libnss3-0d libnss3-1d libnss3-1d-dbg libnss3-dev etc. I have the following in my /usr/lib lrwxrwxrwx 1 root root 13

Re: Which piece of code prompts for master password?

2008-07-18 Thread Kai Engert
Sune Mølgaard wrote: With sm trunk, I get a whole bunch of prompts for the master password on startup. https://bugzilla.mozilla.org/show_bug.cgi?id=348997 smime.p7s Description: S/MIME Cryptographic Signature ___ dev-tech-crypto mailing list

Re: A general question about libnss3

2008-07-18 Thread Kai Engert
PROTECTED]' : undefined reference to [EMAIL PROTECTED]' : undefined reference to `PR_Initialized' : undefined reference to [EMAIL PROTECTED]' Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kai Engert Sent: Friday, July 18, 2008 10:14 AM To: mozilla's

NSS Shared DB ready for testing

2008-08-04 Thread Kai Engert
On behalf of Bob Relyea, who did the majority of the work on this feature, we would like to announce that a new feature for sharing the NSS database amongst multiple applications is ready for testing. The feature is included in NSS 3.12 which is the version that got shipped in Firefox 3. We

Re: inserting own extended validation certificate root

2008-08-25 Thread Kai Engert
[EMAIL PROTECTED] wrote: for normal CAs, it's an easy task to add them as trusted root to Mozilla. Now I'm trying to setup my own local extended validation CA. Is it possible to add it locally as trusted root? On the OpenSSL mailing list I was told this wouldn't be an easy tasks, as EV CAs are

Re: Using Crypto APIs from Add-on (in Javascript)

2008-08-29 Thread Kai Engert
Dominik schrieb: I am developing a JavaScript-based Firefox add-on which could make use of cryptography primitives like encrypting/decrypting short strings with RSA/AES. A pure JS implementation of those algorithms is way to slow. I have come across the NSS library which seems to be part of the

Re: FireFox v3.0.1 of Windows uses SSLv2 Record Layer even when SSLv2 is disabled

2008-09-02 Thread Kai Engert
Nelson B Bolyard wrote: Wan-Teh Chang wrote, On 2008-09-02 10:36: I believe this is the relevant source code in Firefox: http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSSComponent.cpp#1596 The above code sets the default for a new socket. I believe this

Re: Validation (OCSP) Preferences

2008-09-09 Thread Kai Engert
Neil wrote: Bug 110161 turned on OCSP by default. It also followed this up by changing the UI from a group of three radio buttons to a checkbox and a pair of radiobuttons. However these three controls fight over the same preference. This makes for some hairy preference code, but also I

Re: Unable to change password of FIPS enabled internal key token

2008-10-06 Thread Kai Engert
Subrata Mazumdar wrote: I am using Firefox 3.0.3. I have FIPS enabled the software security device using Secuirty Devices dialog window in PSM. This step forced me to add password protect the internal Key token (Software security device). Then, I tried to change the password of the internal key

Re: Unable to change password of FIPS enabled internal key token

2008-10-06 Thread Kai Engert
Kai Engert wrote: Subrata Mazumdar wrote: I am using Firefox 3.0.3. I have FIPS enabled the software security device using Secuirty Devices dialog window in PSM. This step forced me to add password protect the internal Key token (Software security device). Then, I tried to change the password

Re: Unable to change password of FIPS enabled internal key token

2008-10-06 Thread Kai Engert
Wan-Teh Chang wrote: - The password must be at least seven characters long. - The password must consist of characters from three or more character classes (uppercase, lowercase, digits, etc.). NSS rejects abcDEF7 although it matches your above description. Kai smime.p7s Description:

Re: EV Certs with SeaMonkey?

2008-11-04 Thread Kai Engert
Nelson Bolyard wrote: SM 2.0 alpha pre-release does use NSS 3.12, but it still does not support EV UI. Although I use SM trunk builds exclusively, I have never seen a green bar or the authenticated web site principal name or country name in the chrome anywhere. I see no difference between EV

Re: EV Certs with SeaMonkey?

2008-11-04 Thread Kai Engert
Nelson Bolyard wrote: SM 2.0 alpha pre-release does use NSS 3.12, but it still does not support EV UI. Although I use SM trunk builds exclusively, I have never seen a green bar or the authenticated web site principal name or country name in the chrome anywhere. I see no difference between EV

Re: Help Signature Verification Error: !

2008-11-06 Thread Kai Engert
Nelson B Bolyard wrote: Pardon my ignorance, but, what is CentOS ? CentOS is the name of a Linux distribution. Kai smime.p7s Description: S/MIME Cryptographic Signature ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org

CAs and external entities (resellers, outsourcing)

2008-12-28 Thread Kai Engert
After having read the posts related to the unbelievable event, I understand the event involved an approved CA and an external entity they work with. From my perspective, it's a CA's job to ensure competent verification of certificate requests. The auditing required for CAs is supposed to prove

Re: CAs and external entities (resellers, outsourcing)

2008-12-30 Thread Kai Engert
Ian G wrote: Which language suggests they have to do verification *themselves* ? The fact that the policy talks about a CA, and I didn't see talk about external entities. BTW, it would be quite problematic to insist that the CAs do this job themselves. CAs are not generally experts on

Re: CAs and external entities (resellers, outsourcing)

2008-12-30 Thread Kai Engert
Eddy Nigg wrote: On 12/28/2008 01:13 PM, Kai Engert: The current Mozilla CA Certificate Policy says: 6. We require that all CAs whose certificates are distributed with our software products: ... provide attestation of their conformance to the stated verification requirements ... Kai, just

Re: Fix for the TLS renegotiation bug

2010-02-18 Thread Kai Engert
On 18.02.2010 02:45, Eddy Nigg wrote: If you currently have a https site that's partly open and partly accessed only with client authentication, I think the only reasonable way out is to break it in two. Not sure what you mean, but the server doesn't accept client initiated renegotiation.

Re: Fix for the TLS renegotiation bug

2010-02-23 Thread Kai Engert
On 23.02.2010 02:21, Jan Schejbal wrote: Hi, Test server at https://ssltls.de none of the two images is visible with my Fx3.6. I don't give any guarantees about my prefs and addons, though. Jan Firefox 3.6 does not yet have any fixes for this. As of today, only the experimental nightly

Re: Fix for the TLS renegotiation bug

2010-02-23 Thread Kai Engert
On 23.02.2010 02:21, Jan Schejbal wrote: Hi, Test server at https://ssltls.de none of the two images is visible with my Fx3.6. I don't give any guarantees about my prefs and addons, though. Jan Firefox 3.6 does not yet have any fixes for this. As of today, only the experimental nightly

Improving SSL client auth and bad certificate reporting in non-browser applications

2010-03-16 Thread Kai Engert
I'd like to announce two design documents. The primary intention is to improve the functionality of SSL client authentication in Mozilla software. In short, we'd like to stop the current prompts and implement a better user interface. The basic idea is to show an indicator in chrome whenever

Re: Improving SSL client auth and bad certificate reporting in non-browser applications

2010-03-17 Thread Kai Engert
On 17.03.2010 02:40, Wan-Teh Chang wrote: Is your proposal or Aza Raskin's proposal similar to the proposal that Henry Story of the foaf project has been advocating? No, under the assumption you're refering to http://esw.w3.org/Foaf%2Bssl Contrary to foaf+ssl I'm not proposing any new

Re: Improving SSL client auth and bad certificate reporting in non-browser applications

2010-03-26 Thread Kai Engert
, but I'm fine with any location in primary chrome. If neither client auth nor bad certs are involved, all icons are hidden. On 16/03/10 23:12, Kai Engert wrote: In short, we'd like to stop the current prompts and implement a better user interface. I think that it would be extremely wise

Re: Improving SSL client auth and bad certificate reporting in non-browser applications

2010-03-28 Thread Kai Engert
On 28.03.2010 06:19, Nelson B Bolyard wrote: The sequence of events in the dialog is likely, IMO, to give the users the impression that client authentication is a user-initiated act, rather than a server initiated act. It seems to say to the user, if you want to authenticate to this server with

Re: Alerts on TLS Renegotiation

2010-03-31 Thread Kai Engert
On 31.03.2010 14:26, Eddy Nigg wrote: [ Please follow up to mozilla.dev.tech.crypto ] After some discussion at bug 554594 I'm following up here - the bug was unfortunately misused by me a little for the initial discussion. At https://wiki.mozilla.org/Security:Renegotiation under item 4.4 the

Re: Improving SSL client auth and bad certificate reporting in non-browser applications

2010-04-01 Thread Kai Engert
sites... If the user authenticates using a certificate, we could show the following menu: www.site.com (disabled menu item) Log out x Authenticated (Kai Engert, StartCom Free Certificate Member) Authenticate using a different Certificate

Re: Alerts on TLS Renegotiation

2010-04-08 Thread Kai Engert
On 09.04.2010 00:41, Matt McCutchen wrote: On Thu, 2010-04-08 at 09:59 -0700, Robert Relyea wrote: The yellow larry is a good proposal, and probably implementable much sooner than noisy warnings. I'm glad you like it. I guess the next thing needed is for someone to actually implement it,

Re: Certificate Patrol error (or malformed ssl certificate?)

2010-04-12 Thread Kai Engert
On 12.04.2010 07:36, Kurt Seifried wrote: Right but I can't find any contact info for certificate patrol and I figured if anyone knew about it, they're probably on this list. That and I couldn't find an add-ons mailing list (how does on get on contact with them?). The word contact doesn't occur

Re: Certificate Patrol error (or malformed ssl certificate?)

2010-04-12 Thread Kai Engert
On 12.04.2010 16:22, Kai Engert wrote: On 12.04.2010 07:36, Kurt Seifried wrote: Right but I can't find any contact info for certificate patrol and I figured if anyone knew about it, they're probably on this list. That and I couldn't find an add-ons mailing list (how does on get on contact

What if a compelled CA scenario gets combined with Tor (The Onion Router)?

2010-05-19 Thread Kai Engert
Today I read some technical documents at http://www.torproject.org which is a project that tries to enhance anonymity of Internet users, or allow Internet users to circumvent censorship. With Tor, your outgoing connections will be routed (using encryption) to a chain of random Tor servers,

Please don't use NSPR 4.8.5

2010-07-01 Thread Kai Engert
Please don't use NSPR 4.8.5. The release tag got created without release testing and without coordination. The NSPR/NSS team has decided to delete the CVS tag, which I'll do shortly. The next official release will be NSPR 4.8.6 Thanks and Regards, Kai -- dev-tech-crypto mailing list

NSS 3.12.7 released

2010-08-06 Thread Kai Engert
NSS version 3.12.7 has been released and is available from ftp.mozilla.org It should be used with NSPR version 4.6.8 (announcing on behalf of the NSS team) Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Announcing a NSS release for Blocking Fraudulent Certificates

2011-03-23 Thread Kai Engert
This announcement is related to the same underlying issue as reported in http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates/ While the above mentioned hotfix was made at the Mozilla client application level, we would like to provide a hotfix at the NSS level,

Announcing NSPR 4.8.8 and NSS 3.12.10

2011-05-07 Thread Kai Engert
NSPR 4.8.8 has been released. CVS tag NSPR_4_8_8_RTM ftp://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.8.8/src/ NSS 3.12.10 has been released. CVS tag NSS_3_12_10_RTM ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_10_RTM/src/ Regards -- dev-tech-crypto mailing list

Announcing an experimental public S/MIME keyserver

2011-06-02 Thread Kai Engert
In short, go to http://kuix.de/smime-keyserver/ and give it a try. Although I can't guarantee that this service will continue to run, I will try to keep it up, and I would like to see many people using it. Longer explanation: The GPG/PGP world has long known the concept of keyservers -

Re: Announcing an experimental public S/MIME keyserver

2011-06-06 Thread Kai Engert
How are cert renewals handled? Will you send an e-mail about certs soon to be expired to encourage the user to send in a newer cert? Not yet, but it wouldn't be a lot of work to setup a daily cronjob that walks through the list of stored certs. Also note that one of the issues is that the

Re: Announcing an experimental public S/MIME keyserver

2011-06-08 Thread Kai Engert
On 03.06.2011 00:12, Kai Engert wrote: In short, go to http://kuix.de/smime-keyserver/ and give it a try. ... (as of today, the keyserver accepts the same signing roots as Mozilla software. It also allows certs from cacert.org) In addition it will also accept the certs from http

Re: Announcing an experimental public S/MIME keyserver

2011-06-08 Thread Kai Engert
On 08.06.2011 13:51, Jean-Marc Desperrier wrote: Is the script smart enough to identify and extract the encryption certificate in the mail when the sender uses separate signature and encryption certificates ? (and of course the S/MIME properties are correctly set to identify this, and propagate

Re: Announcing an experimental public S/MIME keyserver

2011-06-08 Thread Kai Engert
On 08.06.2011 14:15, Jean-Marc Desperrier wrote: This seems to be solved with my implementation, because my keyserver can forward the original signed message. But it's not really a great solution. Why not? I'm thinking the following could solve the problem Please help me: which problem

Re: Announcing an experimental public S/MIME keyserver

2011-06-10 Thread Kai Engert
On 10.06.2011 13:33, Jean-Marc Desperrier wrote: Kai Engert wrote: I'm thinking the following could solve the problem Please help me: which problem is it, that you want to solve, that isn't yet solved by the current implementation? Ease of use, understandability of the process

Proposal: implement a MITM report addon

2011-06-17 Thread Kai Engert
I would like to propose that someone could implement an addon for Mozilla applications with the following functionality: - it comes with a list of several hundred known major services, including https and email servers. - if the user gets a certificate error on one of the major sites, we

Re: Announcing an experimental public S/MIME keyserver

2011-06-17 Thread Kai Engert
On 16.06.2011 13:52, Gervase Markham wrote: On 11/06/11 12:03, Michael Ströder wrote: This means if the user accidently sent in contact information in an e-mail footer this information is also disclosed. If not already there you should put a strong hint on the web page that the signed S/MIME

Re: Proposal: implement a MITM report addon

2011-06-28 Thread Kai Engert
Hi Ralph, if you have resources to work on this or to coordinate this, please go ahead. I haven't yet. If I should, I would contact you to coordinate. Regarding traceroute, you could look at the existing WorldIP Add-On, which claims to support it, and potentially copy that code, under the

NSPR 4.8.9 and NSS 3.12.11

2011-08-10 Thread Kai Engert
NSPR 4.8.9 and NSS 3.12.11 have been released and are available for download from ftp.mozilla.org or using CVS tags NSPR_4_8_9_RTM / NSS_3_12_11_RTM Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

For discussion: MECAI: Mutually Endorsing CA Infrastructure

2011-10-21 Thread Kai Engert
This is an idea how we could improve today's world of PKI, OCSP, CA's. https://kuix.de/mecai/ Review, thoughts and reports of flaws welcome. Thanks and Regards Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

NSS 3.13.1 released

2011-10-28 Thread Kai Engert
The NSS team released version 3.13.1, a general patch release. ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_13_1_RTM/src/ SHA1SUM: d8e7ee9f9f1e0bfa2ea8b72d25727634fea130a6 nss-3.13.1.tar.gz Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org

Re: Encouraging OCSP stapling: please test Apache 2.3.x

2011-11-08 Thread Kai Engert
(a) I've installed Apache 2.3.14-beta with OCSP stapling enabled at: https://kuix.de:5143/ - good certificate https://kuix.de:5144/ - revoked certificate Thanks to StartCom for providing me with free certificates, and also for providing a free revocation service. (b) Note to other CAs, (as

Re: For discussion: MECAI: Mutually Endorsing CA Infrastructure

2011-12-06 Thread Kai Engert
On 21.10.2011 15:09, Kai Engert wrote: This is an idea how we could improve today's world of PKI, OCSP, CA's. https://kuix.de/mecai/ After more brainstorming I came up with some incremental ideas. Thanks a lot to Adam Langley for pointing out scenarios that weren't yet sufficiently handled

Re: OCSP-in-DNS (was Re: For discussion: MECAI: Mutually Endorsing CA Infrastructure)

2011-12-14 Thread Kai Engert
Just a quick thought, that I don't want to lose. Maybe it would be a reasonable middle-ground to define: - for intermediate CAs, OCSP information is published in DNS - for servers, we use OCSP stapling (Rob, thanks for your response, I'm still digesting.) Regards Kai -- dev-tech-crypto mailing

Re: For discussion: MECAI: Mutually Endorsing CA Infrastructure

2012-02-06 Thread Kai Engert
On 21.10.2011 15:09, Kai Engert wrote: This is an idea how we could improve today's world of PKI, OCSP, CA's. https://kuix.de/mecai/ Review, thoughts and reports of flaws welcome. Thanks to Peter Eckersley, who first mentioned to me at 28c3 that there is one scenario that isn't solved

Re: For discussion: MECAI: Mutually Endorsing CA Infrastructure

2012-02-07 Thread Kai Engert
My previous message was a proposed solution to the problem attacker is close to the server and uses it to obtain a new fraudulent cert, and I proposed to use an organizational approach to prevent that attack. In addition, another potential attack is, the attacker has obtained a certificate

Re: For discussion: MECAI: Mutually Endorsing CA Infrastructure

2012-02-07 Thread Kai Engert
On 07.02.2012 17:54, Ondrej Mikle wrote: The phone calls would ensure that each registered person will be aware of the certificate issuance. This is getting very close to EV validation (Sovereign Keys have the same issue). I'd say making phone calls is less effort than checking business

Re: Google about to fix the CRL download mechanism in Chrome

2012-02-08 Thread Kai Engert
My criticism: (a) I don't like it that the amount of CRLs will be a subset of all CRLs. What about all the revoked certificates that aren't included in the list? With a dynamic mechanism like OCSP (and in the future OCSP stapling) you don't have to make a selection. (b) I don't like it

NSPR 4.9 and NSS 3.13.2

2012-02-18 Thread Kai Engert
We have released NSPR 4.9, cvs tag NSPR_4_9_RTM We have released NSS 3.13.2, cvs tag NSS_3_13_2_RTM Source code is available from ftp://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.9/src/ ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_13_2_RTM/src/ Kai -- dev-tech-crypto

Firefox 10 and NSPR

2012-02-18 Thread Kai Engert
Due to an oversight, the official Firefox 10 release was shipped with a beta snapshot of the NSPR base library. We believe this is a minor issue, the difference between the beta snapshot and the final version 4.9 are small. You may inspect the differences at

Re: ETA on smaller stick penalty for CA Violations? (paging bsmith)

2012-02-19 Thread Kai Engert
On 19.02.2012 02:46, Stephen Schultze wrote: Brian has in the past discussed proposed updates to NSS that would allow us to penalize bad CA behavior by removing trust of all certs from a given CA that were issued after a given date (or even for X amount of time after a given date). Someone

NSS 3.13.3

2012-02-22 Thread Kai Engert
We have released NSS 3.13.3 The motivation for this quick follow-up release were the fixes for bug 727204 and bug 724929. ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_13_3_RTM/src/ Regards Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org

Combining OCSP stapling with advance MITM preparation

2012-02-23 Thread Kai Engert
While working on an updated paper of the MECAI proposal (which I hope to post in the next couple of days), the following orthogonal idea came to me. I don't know whether it is a new idea, or whether it has been discussed/mentioned before. Let's say the owner of a domain learns that a rogue

Combining OCSP stapling with advance MITM preparation

2012-02-23 Thread Kai Engert
I've just sent the following message to Mozilla's dev-tech-crypto mailing list, and I thought you might be interested, too. While working on an updated paper of the MECAI proposal (which I hope to post in the next couple of days), the following orthogonal idea came to me. I don't know

Re: Combining OCSP stapling with advance MITM preparation

2012-02-23 Thread Kai Engert
On 23.02.2012 20:53, Kai Engert wrote: I've just sent the following message to Mozilla's dev-tech-crypto mailing list, and I thought you might be interested, too. I apologize for the double post, the second post was intended for a different mailing list... -- dev-tech-crypto mailing list

MECAI proposal - Version 2

2012-02-23 Thread Kai Engert
Please find a more detailed description of my proposal MECAI - Mutually Endorsing CA Infrastructure at https://kuix.de/mecai/mecai-proposal-v2.pdf (PDF, 12 pages) I'm looking forward to your feedback, please let me know if parts are difficult to understand or need clarification. Best

Automatic announcements for Mozilla's NSS/NSPR upgrades

2012-02-26 Thread Kai Engert
I would like to make you aware of a new public mailing list, it can be helpful it you want to track which NSPR/NSS versions are used by Mozilla software. https://kuix.de/mailman/listinfo/moz-nss-nspr Description: This list watches several Mozilla (Firefox) branches and will send announcement

Re: Automatic announcements for Mozilla's NSS/NSPR upgrades

2012-02-27 Thread Kai Engert
On 27.02.2012 18:09, Honza Bambas wrote: is there some way to just see the current state for each branch? If not, do you plan to build one? Yes: https://kuix.de/mozilla/versions/ Regards Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org

NSS 3.13.4

2012-04-06 Thread Kai Engert
The NSS team has released NSS 3.13.4 CVS tag: NSS_3_13_4_RTM ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_13_4_RTM/ Please refer to https://bugzilla.mozilla.org/show_bug.cgi?id=741135 for the list of changes contained in this update. Kai -- dev-tech-crypto mailing list

Flowerbeetle Flowerduck

2012-05-11 Thread Kai Engert
I've started a project to produce an experimental browser (Flowerbeetle) and an experimental e-mail client (Flowerduck). The purpose is to enable early testing of security and PKI related changes, which are proposed for the Mozilla platform (including Firefox and Thunderbird), but which haven't

NSS 3.13.5

2012-06-05 Thread Kai Engert
NSS version 3.13.5 has been released and is available for download from ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_13_5_RTM/src/ Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Is there an ETA yet for when Firefox will use libpkix by default?

2012-06-10 Thread Kai Engert
On 09.06.2012 11:53, Erwann Abalea wrote: Le vendredi 8 juin 2012 22:55:33 UTC+2, Rob Stradling a écrit : [...] Might there be a Firefox 13.x point-release that will enable libpkix by default? Will Firefox 14 enable libpkix by default? Or can you say that enabling libpkix by default will

Re: fix for 69557 in which release

2012-08-24 Thread Kai Engert
You provided a 5 digit bug number which is menu toolbar doesn't collapse. I guess you are asking about a different bug number? Regards Kai On 24.08.2012 10:46, Vasantharangan, Shruthi M. wrote: Hi, Could you kindly respond to the email below. Thanks Shruthi From: Vasantharangan,

Re: Contributing to the Mozilla / NSS / Bug 663733

2012-08-25 Thread Kai Engert
On 25.08.2012 09:58, Ismail JH wrote: I'm new here, and I would like to contribute in this bug: Bug 663733 - Add ability to generate signed OCSP responses for testing - Can this task be assigned to me ? You are welcome to work on it and submit patches, as attachments to the bug.

Re: removing built-in CAs from Thunderbird 15 Source

2012-09-11 Thread Kai Engert
On Fri, 2012-09-07 at 20:53 +0500, Muhammad Ashraf Nadeem wrote: I want to remove all of the buit-in certification authorities in it. please let me know how mozilla manages the authorities in its source code, i mean in which direcotry of source. The list of root certificates is part of

MD5 signatures will be disabled by default in NSS 3.14

2012-09-24 Thread Kai Engert
In the upcoming NSS 3.14 release, the default behavior for certificate signatures using the MD5 hash algorithm will change to reject by default (see Mozilla bug 590364). Starting with NSS 3.14, when attempting to validate certificates containing such signatures, a new error code can be returned:

NSS 3.14 release

2012-10-22 Thread Kai Engert
The NSS team has released Network Security Services (NSS) 3.14, which is a minor release with the following new features: - Support for TLS 1.1 (RFC 4346) - Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764) - Support for AES-CTR, AES-CTS, and AES-GCM - Support for Keying

Re: NSS 3.14 release

2012-10-25 Thread Kai Engert
On Thu, 2012-10-25 at 15:36 +0200, Wolfgang Rosenauer wrote: With that version the testsuite fails: [ 1202s] chains.sh: #2294: Test that OCSP server is reachable - FAILED [ 1202s] chains.sh: #4023: Test that OCSP server is reachable - FAILED [ 1202s] chains.sh: #6393: Test that OCSP server

Re: NSS Support for Encrypting File Attachments

2012-11-06 Thread Kai Engert
On Tue, 2012-11-06 at 22:19 +0800, tehhzstar wrote: Hello, Currently, does Mozilla NSS support encrypting of file attachments? Since it can encrypt email messages, I suppose, it can also support encrypting of file attachments? NSS supports encryption. Regarding email attachments, NSS

Re: programatically populating key3.db with a password encryption key

2012-11-14 Thread Kai Engert
On Wed, 2012-11-14 at 14:21 +, Gustavo Homem wrote: Hi, I am able to progamatically create key3.db from a script, using certutil -N -d ... Hi Gustavo, this simply prepares an empty database that you need for future operations. However this initalization does not add to this file a

Re: programatically populating key3.db with a password encryption key

2012-11-14 Thread Kai Engert
On Wed, 2012-11-14 at 15:15 +, Gustavo Homem wrote: So I need to find out how to call libnss se actually generate a key for key3.db. But I'm half amazed that it isn't possible via certutil or other CLI interface. We'll see, maybe it is, but first we need to identify exactly what you

Re: programatically populating key3.db with a password encryption key

2012-11-14 Thread Kai Engert
I haven't worked on the lowlevel code myself yet, so I'm not sure how exactly it works. But I just had a look at PSM code nsSDR.cpp, and I'm learning that secret decoder ring appears to be a functionality provided by NSS, because I see functions with prefix PK11SDR There is another NSS tool

PSM module ownership, switching my focus to NSS

2012-12-13 Thread Kai Engert
Brendan Eich suggested posting to this list, too (already posted yesterday to Mozilla's dev-planning list). Hello Mozilla, I'd like to announce a change. PSM is the name of Mozilla's glue code for PKI related [1] security features, such as certificate management, web based certificate

Proposing: Interactive Domain Verification Approval

2012-12-31 Thread Kai Engert
I propose to more actively involve users into the process of accepting certificates for domains. I envision a UI where users are required to approve once, whether the combination of a CA and a domain is acceptable to the user. The following UI would be shown whenever a user starts a connection

Proposing: Interactive Domain Verification Approval

2012-12-31 Thread Kai Engert
I propose to more actively involve users into the process of accepting certificates for domains. I envision a UI where users are required to approve once, whether the combination of a CA and a domain is acceptable to the user. The following UI would be shown whenever a user starts a connection

Re: Proposing: Interactive Domain Verification Approval

2012-12-31 Thread Kai Engert
On Mon, 2012-12-31 at 10:38 -0500, Eitan Adler wrote: * user gets confused: what the heck is this screen? It's good if users are educated what is going on. We could have a switch to completely turn this off, if the user really doesn't care. * user realizes that pressing yes usually works so

Re: Proposing: Interactive Domain Verification Approval

2012-12-31 Thread Kai Engert
On Mon, 2012-12-31 at 11:17 -0500, Eitan Adler wrote: Expect the user to click yes to every dialog if prompted without reading. [*] note, I am not talking about people like you or I that have an understanding of the implications here. I am talking about the typical user that studies have

Re: Proposing: Interactive Domain Verification Approval

2012-12-31 Thread Kai Engert
On Mon, 2012-12-31 at 16:26 +0100, Kai Engert wrote: I propose to more actively involve users into the process of accepting certificates for domains. I propose the following in addition: Each CA certificate shall have a single country where the CA organization is physically located

  1   2   3   >