Re: Step-by-step instructions on creating test email certificates

2008-02-20 Thread Eddy Nigg (StartCom Ltd.) 
Nelson Bolyard wrote:
>
> Not sure, but I think it's this bug:
> Bug 252250 – Incorrect handling of S/MIME keys with multiple identities
> (need UI for per-identity cert settings)
>
>   
OK, I see the problem this bug describes.


-- 
Regards 
 
Signer: Eddy Nigg, StartCom Ltd. 
Jabber: [EMAIL PROTECTED] 
Blog:   Join the Revolution! 
Phone:  +1.213.341.0390
 

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Step-by-step instructions on creating test email certificates

2008-02-20 Thread Nelson Bolyard 
Eddy Nigg (StartCom Ltd.) wrote, On 2008-02-20 18:39:
> Nelson B Bolyard wrote:
>> Neil wrote, On 2008-02-20 16:33:
>>   
>>> I've been asked to review a patch that enhances the multiple identity UI 
>>> in Thunderbird/SeaMonkey by allowing email certificates to be selected 
>>> on a per-identity basis, rather than just for the main identity.
>>>
>>> It seems that building SeaMonkey will include certutil 
>>> 
>> Do SM builds build all the NSS commands?  That seems like a big waste.
>>   
> Funny, but I mailed Neil privately with some suggestions, but I'd be 
> really interested to know about which bug this is. 

Not sure, but I think it's this bug:
Bug 252250 – Incorrect handling of S/MIME keys with multiple identities
(need UI for per-identity cert settings)

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Step-by-step instructions on creating test email certificates

2008-02-20 Thread Eddy Nigg (StartCom Ltd.) 
Nelson B Bolyard wrote:
> Neil wrote, On 2008-02-20 16:33:
>   
>> I've been asked to review a patch that enhances the multiple identity UI 
>> in Thunderbird/SeaMonkey by allowing email certificates to be selected 
>> on a per-identity basis, rather than just for the main identity.
>>
>> It seems that building SeaMonkey will include certutil 
>> 
>
> Do SM builds build all the NSS commands?  That seems like a big waste.
>   
Funny, but I mailed Neil privately with some suggestions, but I'd be 
really interested to know about which bug this is. Specially also what 
means by "per-identity basis" compared to "main identity". Just to get 
the feeling about what this is about...


-- 
Regards 
 
Signer: Eddy Nigg, StartCom Ltd. 
Jabber: [EMAIL PROTECTED] 
Blog:   Join the Revolution! 
Phone:  +1.213.341.0390
 

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Looking for details about PR_Init argument maxPTDs

2008-02-20 Thread Wan-Teh Chang 
On Tue, Feb 19, 2008 at 7:02 PM, D3!$ <[EMAIL PROTECTED]> wrote:
> > In fact, it is no longer necessary to call PR_Init().  NSPR is now 
> > implicitly
>  > initialized, usually by the first NSPR function the program calls.
>
>  I believe that the above fact(and those like these..) should be
>  mentioned separately in the NSPR documentationI have been doing
>  the initialization part explicitly since the word go...

OK, I fixed the documentation.
http://www.mozilla.org/projects/nspr/reference/html/prinit.html#15734
http://developer.mozilla.org/en/docs/PR_Init

Wan-Teh
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Step-by-step instructions on creating test email certificates

2008-02-20 Thread Nelson B Bolyard 
Neil wrote, On 2008-02-20 16:33:
> I've been asked to review a patch that enhances the multiple identity UI 
> in Thunderbird/SeaMonkey by allowing email certificates to be selected 
> on a per-identity basis, rather than just for the main identity.
> 
> It seems that building SeaMonkey will include certutil 

Do SM builds build all the NSS commands?  That seems like a big waste.

> which looks as if it is more than capable of the task but unfortunately
> the raft of options make no sense at all to me nor was I able to find any
> examples of creating email certificates.

> Would someone mind providing a command line that will do the job, 
> preferably installing the certificate directly into my test profile 
> (with the test email address [EMAIL PROTECTED])!

Tell us a little more about the certs you want.
Self signed?
Issued by a CA?
The rest we can probably guess

/Nelson
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Step-by-step instructions on creating test email certificates

2008-02-20 Thread Neil 
I've been asked to review a patch that enhances the multiple identity UI 
in Thunderbird/SeaMonkey by allowing email certificates to be selected 
on a per-identity basis, rather than just for the main identity.

It seems that building SeaMonkey will include certutil which looks as if 
it is more than capable of the task but unfortunately the raft of 
options make no sense at all to me nor was I able to find any examples 
of creating email certificates.

Would someone mind providing a command line that will do the job, 
preferably installing the certificate directly into my test profile 
(with the test email address [EMAIL PROTECTED])!

Thanks in advance,
Neil.

-- 
Warning: May contain traces of nuts.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: QuoVadis request for root upgrade to EV

2008-02-20 Thread Frank Hecker 
Frank Hecker wrote:
> QuoVadis has applied to upgrade an existing root CA certificate for EV 
> use, as documented in the following bug:
> 
>   https://bugzilla.mozilla.org/show_bug.cgi?id=403665

> I have evaluated QuoVadis's request, as per the mozilla.org CA 
> certificate policy:
> 
>   http://www.mozilla.org/projects/security/certs/policy/
> 
> and plan to officially approve this request after a public comment 
> period.

The comment period has ended, and there are no outstanding issues and 
questions, so I'm formally approving the Quo Vadis request to EV-enable 
its existing root. I've filed bug 418701 to make the actual code changes 
required:

https://bugzilla.mozilla.org/show_bug.cgi?id=418701

Note that the bug is filed against PSM (only) because the cert in 
question is already in NSS, and PSM is where the EV metadata is handled.

Frank

-- 
Frank Hecker
[EMAIL PROTECTED]
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: window.crypto functions

2008-02-20 Thread Eddy Nigg (StartCom Ltd.) 
Hi Bob,

Robert Relyea wrote:
> I think you need to be running a chrome to access this function 
> however;(. I don't think your average website can use it.

If Firefox is considered an average and common browser than it's pretty 
usable. For MSIE we've got activeX (so I'm not the MS guy, don't ask me 
too much about it), and XUL and activeX seem to be able to achieve more 
or less the same in that respect, i.e. check for hardware tokens, force 
to insert a hardware token, create the key in the token, check for its 
serial (for later referencing), login/logout functions on insert and 
removal etc. etc.

Anyway, thanks for all the suggestions and help!

-- 
Regards 
 
Signer: Eddy Nigg, StartCom Ltd. 
Jabber: [EMAIL PROTECTED] 
Blog:   Join the Revolution! 
Phone:  +1.213.341.0390
 

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: window.crypto functions

2008-02-20 Thread Eddy Nigg (StartCom Ltd.) 
Robert Relyea wrote:
>
> There are lots of APIs to get lots of data about smart cards, but just 
> like there are lots of APIs to do crypto, the aren't all available to 
> web designers through java script.

Oh, it works excellent with Javascript in Firefox (and most derivatives 
I guess). Subrata sent me a basic script example which saved me a lot of 
time. The only annoyance is that 
/signed.applets.codebase_principal_support/ in the config must be set to 
true manually. Because of that I'm exploring nevertheless if a mozilla 
specific Javascript function can be introduced which would give some 
basic info about the security devices and their state(s).

-- 
Regards 
 
Signer: Eddy Nigg, StartCom Ltd. 
Jabber: [EMAIL PROTECTED] 
Blog:   Join the Revolution! 
Phone:  +1.213.341.0390
 

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: SEC_ERROR_BAD_SIGNATURE with Firefox 3

2008-02-20 Thread Robert Relyea 

Christophe Thiaux wrote:

Hello,

I can't connect on an ssl server with Firefox 3: it displays 
SEC_ERROR_BAD_SIGNATURE
But if i'm connecting with Firefox 2 and accept the certificate 
definately, then the connexion with Firefox 3 works.


Any idea of the problem ?
  

Not from this sparse description;(. Do you have a URL we can look at?

bob




smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: window.crypto functions

2008-02-20 Thread Robert Relyea 

Eddy Nigg (StartCom Ltd.) wrote:

Subrata Mazumdar wrote:
  

Eddy,
I think that you can do it. Have you looked into nsIPK11Token interface 
(http://lxr.mozilla.org/mozilla1.8.0/source/security/manager/ssl/public/nsIPK11Token.idl) 
?
The nsIPK11Token interface would allow you to filter  tokens based on a 
number of attributes and

eventually you can determine the desired token is present.


I think this is exactly what I was looking for. Subrata, thanks for this!

If there is any other way getting at the information of smart cards I'd 
be interested to hear...
  


I think you need to be running a chrome to access this function 
however;(. I don't think your average website can use it.


bob
 
  




smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: window.crypto functions

2008-02-20 Thread Robert Relyea 

Nelson Bolyard wrote:

Robert Relyea wrote, On 2008-02-19 14:20:
  

Eddy Nigg (StartCom Ltd.) wrote:

Does anybody know if and which parameters might be obtained by the 
window.crypto functions and smart cards? For reference see this page: 
http://developer.mozilla.org/en/docs/JavaScript_crypto#Handling_Smart_Card_Events
  
Specifically I'd like to know if there is a function to check if a smart 
card was already inserted before accessing a certain page. Is it 
possible to obtain a smart card ID or other properties of the smart card 
device (as loaded by NSS)?
  
  
No, the API does not give you direct information about how many or which 
tokens are installed.



Bob, doesn't the command "modutil -list" produce the info Eddy wants?
If so, then I'd say the API DOES provide that information, because modutil
uses the API...
  


There are lots of APIs to get lots of data about smart cards, but just 
like there are lots of APIs to do crypto, the aren't all available to 
web designers through java script.


From a C program, or a plugin, it's pretty easy to know what Smart 
cards are currently inserted (actually what tokens in general are 
inserted...).

/Nelson
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
  




smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

SEC_ERROR_BAD_SIGNATURE with Firefox 3

2008-02-20 Thread Christophe Thiaux 
Hello,

I can't connect on an ssl server with Firefox 3: it displays 
SEC_ERROR_BAD_SIGNATURE
But if i'm connecting with Firefox 2 and accept the certificate 
definately, then the connexion with Firefox 3 works.

Any idea of the problem ?

Thanks

-- 
Chris


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto