Re: [Fwd: Reminder - SSL Certificate for *.startcom.org expires in 10 Days]
On 22/12/08 04:16, Eddy Nigg wrote: Not sure if this is a reason to disable a root, but it's certainly illegal business practice. Hopefully we can settle this with Comodo directly in appropriate manner. Seems like the business is in Denmark, and claims Danish law and courts. Which law are you claiming is breached? Just curious... iang ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Building NSS on Vista
Hi. I'm asking for help :) When I try to build NSS on Windows Vista, I've go build_coreconf error 1. Is it possible to build NSS on Vista ? If it is possible, then please tell me how? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
RE: Building NSS on Vista
Unless you're intimate with the NSS build system and know enough to trim things down...then this set of instructions is the best thing. I've built NSS on Vista using this wiki page: https://developer.mozilla.org/En/Windows_Build_Prerequisites -Original Message- From: dev-tech-crypto-bounces+dstutzman=dsci@lists.mozilla.org [mailto:dev-tech-crypto-bounces+dstutzman=dsci@lists.mozilla.org] On Behalf Of ps_mitrofa...@mail.ru Sent: Monday, December 22, 2008 6:34 AM To: dev-tech-crypto@lists.mozilla.org Subject: Building NSS on Vista Hi. I'm asking for help :) When I try to build NSS on Windows Vista, I've go build_coreconf error 1. Is it possible to build NSS on Vista ? If it is possible, then please tell me how? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: [Fwd: Reminder - SSL Certificate for *.startcom.org expires in 10 Days]
On 12/22/2008 11:11 AM, Ian G: On 22/12/08 04:16, Eddy Nigg wrote: Not sure if this is a reason to disable a root, but it's certainly illegal business practice. Hopefully we can settle this with Comodo directly in appropriate manner. Seems like the business is in Denmark, and claims Danish law and courts. Which law are you claiming is breached? Just curious... Unfortunately I can't comment any further on this matter what legal issues concerns... -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Building NSS on Vista
Thank you, David Stutzman. I hope this information will help me. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
delta crl support
Dear all, does the current version of nss already support delta crls? I can only find old information about this. Where can I find up to date info about such information? thanks ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Building NSS on Vista
ps_mitrofa...@mail.ru wrote, On 2008-12-22 03:33: Hi. I'm asking for help :) When I try to build NSS on Windows Vista, I've go build_coreconf error 1. Is it possible to build NSS on Vista ? If it is possible, then please tell me how? Sounds like you might have had one or more of these issues: - Used the wrong make program. (Must use gmake, not nmake, on Windows.) - Don't have the right set of build tools. (Don't have one of Mozilla's packages of build tools for Windows that includes the nsinstall program.) - Don't have all of the necessary sources in your source tree. (Did you have mozilla/security/coreconf as well as mozilla/security nss?) ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Building NSS on Vista
On 22 дек, 19:14, Nelson B Bolyard nel...@bolyard.me wrote: ps_mitrofa...@mail.ru wrote, On 2008-12-22 03:33: Hi. I'm asking for help :) When I try to build NSS on Windows Vista, I've go build_coreconf error 1. Is it possible to build NSS on Vista ? If it is possible, then please tell me how? Sounds like you might have had one or more of these issues: - Used the wrong make program. (Must use gmake, not nmake, on Windows.) - Don't have the right set of build tools. (Don't have one of Mozilla's packages of build tools for Windows that includes the nsinstall program.) - Don't have all of the necessary sources in your source tree. (Did you have mozilla/security/coreconf as well as mozilla/security nss?) I have all mozilla-tools mentioned in NSS Building FAQ: gmake.exe, nsinstall.exe, shmsdos,.exe uname.exe, glib-1.2_s.lib, libIDL-0.6_s.lib, include-fles. Also, I have all of the necessary sources(coreconf, nss...). I've set all environment variables. I'm using gmake nss_build_ all. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Can't unwrap key into NSS in FIPS mode
alex.agra...@gmail.com wrote, On 2008-12-21 08:02: I'm working with NSS from JAVA (via JAVA 6 PKCS11 provider on RHEL 5). My NSS database is configured for FIPS-140 mode. And I try to wrap/ unwrap AES key with RSA public/private key pair as follows: // open NSS keystore char[] nssDBPassword = {'f', 'i', 'p', 's', '1', '4', '0', '-', '2'}; KeyStore ks = KeyStore.getInstance(PKCS11); ks.load(null, nssDBPassword); Provider p = ks.getProvider(); // generate RSA key pair KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance(RSA, p); KeyPair keyPair = keyPairGen.generateKeyPair(); // generate AES key KeyGenerator keyGen = KeyGenerator.getInstance(AES, p); keyGen.init(128); Key rawKey = keyGen.generateKey(); System.out.println(raw Key : + rawKey); // wrap key Cipher cipher = Cipher.getInstance(RSA/ECB/PKCS1Padding, p); cipher.init(Cipher.WRAP_MODE, keyPair.getPublic()); byte[] wrappedData = cipher.wrap(rawKey); // unwrap key cipher = Cipher.getInstance(RSA/ECB/PKCS1Padding, p); cipher.init(Cipher.UNWRAP_MODE, keyPair.getPrivate()); unwrappedKey = cipher.unwrap(wrappedData, AES, Cipher.SECRET_KEY); // encode data cipher = Cipher.getInstance(AES/CBC/NoPadding, p); cipher.init(Cipher.ENCRYPT_MODE, unwrappedKey); The wrap/unwrap code seems to work fine. But when I attempt to perform encoding with the unwrapped key - I get the following exception (which, as far as I understand, seems to suggest that key doesn't reside inside NSS crypto token): raw Key : SunPKCS11-NSScrypto AES secret key, 128 bits (id 12, session object, sensitive, extractable) java.security.InvalidKeyException: Could not create key at sun.security.pkcs11.P11SecretKeyFactory.createKey (P11SecretKeyFactory.java:226) at sun.security.pkcs11.P11SecretKeyFactory.convertKey (P11SecretKeyFactory.java:131) at sun.security.pkcs11.P11Cipher.engineGetKeySize(P11Cipher.java:582) at javax.crypto.Cipher.b(DashoA13*..) at javax.crypto.Cipher.a(DashoA13*..) at javax.crypto.Cipher.init(DashoA13*..) at javax.crypto.Cipher.init(DashoA13*..) at EncryptionTest.main(EncryptionTest.java:88) Are you sure this is not coming from the cipher.unwrap call? If you add a line of code to print info about the unwrapped key, does it show that key to be in the NSS token? Can anybody tell me what am I doing wrong? Or, may be, point me to some working JAVA code that performs wrap/unwrap of the key in NSS token? Maybe one of our seasoned Java veterans can help with those questions. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Building NSS on Vista
ps_mitrofa...@mail.ru wrote, On 2008-12-22 08:45: On 22 дек, 19:14, Nelson B Bolyard nel...@bolyard.me wrote: ps_mitrofa...@mail.ru wrote, On 2008-12-22 03:33: Hi. I'm asking for help :) When I try to build NSS on Windows Vista, I've go build_coreconf error 1. Is it possible to build NSS on Vista ? If it is possible, then please tell me how? Sounds like you might have had one or more of these issues: - Used the wrong make program. (Must use gmake, not nmake, on Windows.) - Don't have the right set of build tools. (Don't have one of Mozilla's packages of build tools for Windows that includes the nsinstall program.) - Don't have all of the necessary sources in your source tree. (Did you have mozilla/security/coreconf as well as mozilla/security nss?) I have all mozilla-tools mentioned in NSS Building FAQ: gmake.exe, nsinstall.exe, shmsdos,.exe uname.exe, glib-1.2_s.lib, libIDL-0.6_s.lib, include-fles. Also, I have all of the necessary sources(coreconf, nss...). I've set all environment variables. I'm using gmake nss_build_ all. Please supply more output from the gmake run, like (say) the last 20 lines of output. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Building NSS on Vista
On 22 дек, 20:08, Nelson B Bolyard nel...@bolyard.me wrote: ps_mitrofa...@mail.ru wrote, On 2008-12-22 08:45: Please supply more output from the gmake run, like (say) the last 20 lines of output There is building log(but there are only 5 lines of output): gmake nss_build_all process_begin:CreateProcess((null),pwd,..) failed. process_begin:CreateProcess((null),pwd,..) failed. cd ../coreconf ; gmake System could not find mentioned path. gmake: *** [build_coreconf] Error 1 Sorry for bad translation. As you can see it isn't working from the start. And as I said, I have coreconf directory. I'll be appreciated for any help. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Building NSS on Vista
ps_mitrofa...@mail.ru wrote, On 2008-12-22 09:30: On 22 дек, 20:08, Nelson B Bolyard nel...@bolyard.me wrote: ps_mitrofa...@mail.ru wrote, On 2008-12-22 08:45: Please supply more output from the gmake run, like (say) the last 20 lines of output There is building log(but there are only 5 lines of output): gmake nss_build_all process_begin:CreateProcess((null),pwd,..) failed. process_begin:CreateProcess((null),pwd,..) failed. So, that's the real problem. I believe It means that gmake tried to run the pwd program, but that program was not in any of the directories listed in your PATH environment variable. You must ensure that all the build tools are found in directories named in PATH. One way to do that is to change the PATH variable to include additional directories. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Can't unwrap key into NSS in FIPS mode
Are you sure this is not coming from the cipher.unwrap call? If you add a line of code to print info about the unwrapped key, does it show that key to be in the NSS token? Actually, the cipher.unwrap call passes fine, but when I print the unwrappedKey - it looks like a secretKeySpec rather than a key that resides in NSS token. But I can't figure out what am I doing wrong - 'cause I explicitly pass provider to all my cipher initializations... ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Unbelievable!
https://blog.startcom.org/?p=145 -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
RE: Unbelievable!
Eddy, That reseller's ability to sell Comodo certificates has been suspended while we investigate why they are apparently not fulfilling their contractual obligations to us. We revoked your certificate for mozilla.com. Regards Robin Alden Comodo -Original Message- From: dev-tech-crypto-bounces+robin=comodo@lists.mozilla.org [mailto:dev-tech-crypto-bounces+robin=comodo@lists.mozilla.org] On Behalf Of Eddy Nigg Sent: Monday, December 22, 2008 10:25 PM To: dev-tech-crypto@lists.mozilla.org Subject: Unbelievable! https://blog.startcom.org/?p=145 -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
RE: Unbelievable!
Eddy, As I noted in my prior correspondence, Comodo has undertaken an internal review of the Certstar reseller account. We have informed CertStar that their email violates their contractual obligation to refrain from sending unsolicited emails and that their email could be interpreted as misleading and confusing to the customer. During our review, we discovered that Certstar had apparently issued a certificate to mozilla.com without validating control of the domain. We immediately revoked the certificate (prior to your posting) and have suspended Certstar's reseller activities until our investigation has been completed. Please let me know if you have any further problems. Regards Robin Alden Comodo -Original Message- From: dev-tech-crypto-bounces+robin=comodo@lists.mozilla.org [mailto:dev-tech-crypto-bounces+robin=comodo@lists.mozilla.org] On Behalf Of Eddy Nigg Sent: Tuesday, December 23, 2008 1:34 AM To: dev-tech-crypto@lists.mozilla.org Subject: Re: Unbelievable! On 12/23/2008 03:15 AM, Robin Alden: Eddy, That reseller's ability to sell Comodo certificates has been suspended while we investigate why they are apparently not fulfilling their contractual obligations to us. How can you outsource such a critical part as domain control validation to a reseller is a complete mystery to me! Your controls (if any) have completly failed. And apparently if the fish stinks at the tail, chances that the head is rotten too are pretty high. We revoked your certificate for mozilla.com. I suggest to revoke ALL certificates from this reseller and perform an urgent review of your policies and implementations in relation to resellers at all. Other steps might be needed as well, you know better than me. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Unbelievable!
Kyle Hamilton wrote: I advocate at least temporarily removing the trust bits from Comodo until a new external audit can be completed, with an eye toward ensuring that Comodo, not the reseller, perform the domain validations. There are two general reasons for pulling a root, to address a clear and present danger to Mozilla users, and to punish a CA and deter others. My concern right now is with the former. I see at least three issues in relation to that: 1. Issuance of further non-validated certs by this reseller. Comodo seems to have addressed this by suspending the reseller's ability to get certs issued. (I can testify that this is the case, as I tried to duplicate Eddy's feat earlier today and got my uploaded CSR rejected.) 2. Potential problems with certs already sold through this reseller. Comodo should investigate this and take action if needed. (This need not necessarily require revoking all certificates associated with the reseller; for example, the existing certs and their associated domains could be re-validated, the registered domain owners could be notified of the potential for bogus certs floating around, etc.) 3. Potential problems with other Comodo resellers. I'm not going to tell Comodo how to operate its reseller network, but they certainly should take a look at whether and where this might be a problem with other resellers, and how they could revamp their systems to reduce potential problems with resellers. Pulling a Comodo root will knock out Firefox, etc., access to thousands of SSL sites, maybe tens of thousands. Given the disruption that would cause, the final decision on this IMO should be made in conjunction with the Firefox security folks. From my point of view I'd wait on more information regarding items 2 and 3 above before making a recommendation. Frank -- Frank Hecker hec...@mozillafoundation.org ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Unbelievable!
I agree with all three of these issues -- it's not *just* this reseller, it's potentially the entire reseller network, and it's entirely possible that the problem exists across multiples. (Especially if Comodo delegates full Registration Authority capability without verification, which seems to be the case -- though they could have simply issued a sub-CA certificate.) It occurs to me that there is no facility in Firefox or other Mozilla products to provide an explanatory dialog that there's an issue, and such a facility would be extremely useful at this point. Being able to print a message to the user like The Mozilla Foundation has identified issues with the trusted root that issued this certificate which prevent Firefox from being able to guarantee that this is truly the site to which you intended to go. While it is unlikely that this is a widespread problem, and an attack would rely on more technical intrusions into the network, the nature of these issues requires that you be warned of this circumstance so that you can exercise appropriate levels of caution. The Mozilla Foundation is working with the trusted root to resolve these issues. would help a lot. (I word it like that because in order for an attacker to succeed he would need to also hijack DNS, or place a entry in the user's hosts file.) Of course, this would be an NSS change (the addition of a 'trust suspended' bit, in addition to the trust flags), a Firefox/Thunderbird code change (to look for that bit), and a chrome change (to explain what's going on). Or even a check for the name in the hosts file to see if it's overridden from DNS. Placing an entry in a user's hosts file is easier than hijacking DNS, or at least it's supposed to be. I'm pretty sure we're all aware of the fairly recent cache poisoning attack, but the people who write BIND pushed out a change to protect against it very rapidly. The addition of a 'trust suspended' bit is primarily unlikely to happen, though, because there's too much inertia in the way things are to do what needs to be done to fix the authentication system to allow a root to stay in while the user is potentially at risk. -Kyle H On Mon, Dec 22, 2008 at 9:09 PM, Frank Hecker hec...@mozillafoundation.org wrote: Kyle Hamilton wrote: I advocate at least temporarily removing the trust bits from Comodo until a new external audit can be completed, with an eye toward ensuring that Comodo, not the reseller, perform the domain validations. There are two general reasons for pulling a root, to address a clear and present danger to Mozilla users, and to punish a CA and deter others. My concern right now is with the former. I see at least three issues in relation to that: 1. Issuance of further non-validated certs by this reseller. Comodo seems to have addressed this by suspending the reseller's ability to get certs issued. (I can testify that this is the case, as I tried to duplicate Eddy's feat earlier today and got my uploaded CSR rejected.) 2. Potential problems with certs already sold through this reseller. Comodo should investigate this and take action if needed. (This need not necessarily require revoking all certificates associated with the reseller; for example, the existing certs and their associated domains could be re-validated, the registered domain owners could be notified of the potential for bogus certs floating around, etc.) 3. Potential problems with other Comodo resellers. I'm not going to tell Comodo how to operate its reseller network, but they certainly should take a look at whether and where this might be a problem with other resellers, and how they could revamp their systems to reduce potential problems with resellers. Pulling a Comodo root will knock out Firefox, etc., access to thousands of SSL sites, maybe tens of thousands. Given the disruption that would cause, the final decision on this IMO should be made in conjunction with the Firefox security folks. From my point of view I'd wait on more information regarding items 2 and 3 above before making a recommendation. Frank -- Frank Hecker hec...@mozillafoundation.org ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto