Re: S/MIME in Thunderbird
Nelson B Bolyard wrote: If Microsoft has merely taken a DER-encoded object from another standard and has incorporated it into a cert extension, that seems fine to me. I hope they did it in such a way that existing BER/DER parsers of the sMIMECapabilities attribute can just parse the extension body directly. Openssl recognise it as sMIMECapabilities, but apparently does not really include the layer to really interpret that extension. Here is the content of the extension as it appears inside a certificate I have : MEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUr DgMCBzAKBggqhkiG9w0DBw== and the result dumpasn1 gives on it : 0 68: SEQUENCE { 29: OBJECT IDENTIFIER sMIMECapabilities (1 2 840 113549 1 9 15) 13 55: OCTET STRING, encapsulates { 15 53: SEQUENCE { 17 14: SEQUENCE { 198: OBJECT IDENTIFIER rc2CBC (1 2 840 113549 3 2) 292: INTEGER 128 : } 33 14: SEQUENCE { 358: OBJECT IDENTIFIER rc4 (1 2 840 113549 3 4) 452: INTEGER 128 : } 497: SEQUENCE { 515: OBJECT IDENTIFIER desCBC (1 3 14 3 2 7) : } 58 10: SEQUENCE { 608: OBJECT IDENTIFIER des-EDE3-CBC (1 2 840 113549 3 7) : } : } : } : } I'll send you the cert in private mail. I've just checked the extension appears only in mail encryption cert (KU=key exchange), not in mail signature cert (KU=signature). Also, testing MCS in any server edition of windows is nothing more than going in Control Panel, selecting Add/Remove Windows Component, clicking Certificate Services, and finding back the install CD/DVDs (which might be more difficult). They are a few question you need to answer, but it's really not difficult, you just need to select a Stand Alone authority so that you don't need to integrate it with Active Directory. If you could supply a specification for this new extension, I'd file an RFE for Thunderbird/NSS to handle these certs in the intended manner. I'm not very well placed to give a specification, but it seems it's really nothing more than take sMIMECapabilities, include it inside x509. It would be good to include the RFE also in Dogtag then. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Problem reading certificate from hardware token
Hi all, I've googled to and fro and have only found another poster having roughly the same problem as I. The situation is this: I want to authenticate against a juniper SA 2500 firewall with a user and password AND a certificate. I have a safenet iKey 1032 token where I imported the p12 certificate. In firefox (tried 2.0.x, 3.0.x and 3.5.x) I imported the safenet K1PK112.DLL PKCS#11 module. In the firefox cryptography module manager I now see the token and can (after entering the pin) see the certificate. So firefox _can_ read the certificate off of the token. But when I go to the juniper firewall website I get the error message that the certificate can't be found. When I (for testing) take out the token and import the p12 certificate directly into the firefox certificate store I can authenticate against the juniper firewall website with user and pass and the certificate. So the problem seems to be that in the cyrpto module manager firefox can read a certificate off of a token and can't read it off when queried by a website. Where would you think is the problem? Is it within firefox or a problem with the third-party pkcs#11 module? (I'm also in contact with the safenet folks) Thanks a lot, regards Udo Puetz -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problem reading certificate from hardware token
I can't help you with the specific problem [:-(] but I can help you with a diagnostic at least. Which is? Smart card vendors have spent decades on fighting each other on the spec/middleware side and naturally we all have to pay the price. Tokens for consumers have therefore been [rightfully] rejected on the pragmatic US market. Is there a workaround? Yes, instead of chasing middleware issues another 10 years or so, I think that the authentication people including Mozilla should define a token with a standard interface that is included in the platform itself regardless if that is Firefox or Windows. The opposite to that is the OpenSC project where every card profile, vendor, and local country variation is treated as feature, while it from a usability point-of-view is really more like a bug. Anders - Original Message - From: Udo Puetz inexg...@googlemail.com Newsgroups: mozilla.dev.tech.crypto To: dev-tech-crypto@lists.mozilla.org Sent: Thursday, July 02, 2009 11:58 Subject: Problem reading certificate from hardware token Hi all, I've googled to and fro and have only found another poster having roughly the same problem as I. The situation is this: I want to authenticate against a juniper SA 2500 firewall with a user and password AND a certificate. I have a safenet iKey 1032 token where I imported the p12 certificate. In firefox (tried 2.0.x, 3.0.x and 3.5.x) I imported the safenet K1PK112.DLL PKCS#11 module. In the firefox cryptography module manager I now see the token and can (after entering the pin) see the certificate. So firefox _can_ read the certificate off of the token. But when I go to the juniper firewall website I get the error message that the certificate can't be found. When I (for testing) take out the token and import the p12 certificate directly into the firefox certificate store I can authenticate against the juniper firewall website with user and pass and the certificate. So the problem seems to be that in the cyrpto module manager firefox can read a certificate off of a token and can't read it off when queried by a website. Where would you think is the problem? Is it within firefox or a problem with the third-party pkcs#11 module? (I'm also in contact with the safenet folks) Thanks a lot, regards Udo Puetz -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problem reading certificate from hardware token
On 2009-07-02 02:58 PDT, Udo Puetz wrote: I want to authenticate against a juniper SA 2500 firewall with a user and password AND a certificate. I have a safenet iKey 1032 token where I imported the p12 certificate. In firefox (tried 2.0.x, 3.0.x and 3.5.x) I imported the safenet K1PK112.DLL PKCS#11 module. In the firefox cryptography module manager I now see the token and can (after entering the pin) see the certificate. So firefox _can_ read the certificate off of the token. While in this state, go into Firefox's certificate manager, and look through the tabs to find the cert. Tell us in which tab(s) the cert appears. In particular, does it appear in the Your Certificates tab? Also, in that tab, note the value in the Security Device column in the row for your certificate. Then, Select your certificate and click the View button. A Certificate Viewer Dialog will appear. In that Dialog, select the Details tab. In that tab are 3 boxes or panes, the top one of which is labeled Certificate Hierarchy. That box will contain some number of lines. Please copy the contents of that box (you may have to retype it by hand). I will explain below what to do with this information. But when I go to the juniper firewall website I get the error message that the certificate can't be found. Where do you see this message? Is it in a Juniper log file? Or Firefox? If it is a Juniper log file, can you tell from the message whether it is saying: a) That it received no certificate from the browser, or b) That it cannot validate the certificate chain received, or b) That it does not recognize the validated cert as being authorized? When I (for testing) take out the token and import the p12 certificate directly into the firefox certificate store I can authenticate against the juniper firewall website with user and pass and the certificate. So the problem seems to be that in the cyrpto module manager firefox can read a certificate off of a token and can't read it off when queried by a website. While in this state, please repeat the steps I gave above, noting the tab of the certificate manager in which your certificate appears, the security device associated with your certificate, and the contents of the Certificate Hierarchy pane in the Certificate Viewer. Then compare these two sets of results. I suspect they will differ. It may be that, in one case the certificate appears in Your Certificates tab, and in the other case, it does not appear in that tab, but appears in some other tab. Or, it may be that in one case the Certificate Hierarchy contains multiple lines (corresponding to multiple certificates) and in the other case, it contains fewer lines (perhaps only one). Or perhaps you will find both of these differences. Or perhaps neither. Any of these differences could explain your problem, I believe. If you do not find any of these differences, then I can suggest some additional (more complicated) diagnostic steps. Where would you think is the problem? Is it within firefox or a problem with the third-party pkcs#11 module? (I'm also in contact with the safenet folks) At this point, with the information I have, I can only speculate. There are many possibilities. Here are some: 1) In addition to needing the certificate, Firefox also needs to be able to access the private key on the token. It may be that it cannot access the private key on the token, but can access it when you import the PKCS#12 file into Firefox's own software token (a.k.a. Software Security Device). If Firefox can access the private key, then the certificate should appear in Your Certificates, otherwise it will appear in one of the other tabs. If you find that the certificate does not appear in Your Certificates, then that is the problem. This would very likely be a problem in the PKCS#11 module and/or token, not in Firefox. 2) It may be that your certificate has a hierarchy with more than two certificates in it, and all of those certificates are stored in Firefox's software token when you import the PKCS#12 file there, but not all those certificates are being stored on the token when you import the PKCS#12 file there. In order to be able to successfully do client cert authentication, Firefox needs access to the entire correct certificate hierarchy. It cannot succeed if certs are missing from the hierarchy. If you find that the two hierarchies seen in the steps above are different, that is the likely cause. In that case, you really should try to import the missing certs into the token. If you cannot do that, that is a bug in the token or PKCS#11 module, however, there is a workaround. You can import the missing CA certs into Firefox's software token instead. Hope this helps. Thanks a lot, regards Udo Puetz -- 12345678901234567890123456789012345678901234567890123456789012345678901234567890 0112233445566778 -- dev-tech-crypto mailing list
Re: Problem reading certificate from hardware token
Anders Rundgren wrote: Linux: doesn't even provide a crypto service API, or does it? There's a PKCS#11 driver implementation by OpenSC project (see http://www.opensc.org/). Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problem reading certificate from hardware token
On 07/02/2009 10:17 PM, Anders Rundgren: If you want to use Hardware tokens, PKCS #11, and Firefox you either must be nuts, a masochist, very smart, or highly committed. For all those which are nuts, masochists, smart and highly committed I blogged this article which shows how easy it can be, specially on Linux: http://blog.startcom.org/?p=82 Enjoy :-) -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problem reading certificate from hardware token
USB does actually have a PKCS#10 device reader profile. If you were to extend that by adding a generic oh, it also has a device in a slot that performs these functions layer that was exposed through the device-reader profile, it would be universal -- and universally implemented in the platform itself. -Kyle H On Thu, Jul 2, 2009 at 3:16 AM, Anders Rundgrenanders.rundg...@telia.com wrote: I can't help you with the specific problem [:-(] but I can help you with a diagnostic at least. Which is? Smart card vendors have spent decades on fighting each other on the spec/middleware side and naturally we all have to pay the price. Tokens for consumers have therefore been [rightfully] rejected on the pragmatic US market. Is there a workaround? Yes, instead of chasing middleware issues another 10 years or so, I think that the authentication people including Mozilla should define a token with a standard interface that is included in the platform itself regardless if that is Firefox or Windows. The opposite to that is the OpenSC project where every card profile, vendor, and local country variation is treated as feature, while it from a usability point-of-view is really more like a bug. Anders - Original Message - From: Udo Puetz inexg...@googlemail.com Newsgroups: mozilla.dev.tech.crypto To: dev-tech-crypto@lists.mozilla.org Sent: Thursday, July 02, 2009 11:58 Subject: Problem reading certificate from hardware token Hi all, I've googled to and fro and have only found another poster having roughly the same problem as I. The situation is this: I want to authenticate against a juniper SA 2500 firewall with a user and password AND a certificate. I have a safenet iKey 1032 token where I imported the p12 certificate. In firefox (tried 2.0.x, 3.0.x and 3.5.x) I imported the safenet K1PK112.DLL PKCS#11 module. In the firefox cryptography module manager I now see the token and can (after entering the pin) see the certificate. So firefox _can_ read the certificate off of the token. But when I go to the juniper firewall website I get the error message that the certificate can't be found. When I (for testing) take out the token and import the p12 certificate directly into the firefox certificate store I can authenticate against the juniper firewall website with user and pass and the certificate. So the problem seems to be that in the cyrpto module manager firefox can read a certificate off of a token and can't read it off when queried by a website. Where would you think is the problem? Is it within firefox or a problem with the third-party pkcs#11 module? (I'm also in contact with the safenet folks) Thanks a lot, regards Udo Puetz -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problem reading certificate from hardware token
PKCS #10? I guess you really meant PKCS #11. I'm not aware of any such profile. There is smart card profile but I doubt it has much to do with PKCS #11, it is rather about 7816. Anyway, the way Firefox is linked to PKCS #11 is probably OK in Linux-land. However, in Windows-land where 80% of all users live it doesn't fill the bill. BTW, we still don't have a credible system for *remote* provisioning of smart cards on any OS, so we shouldn't expect too much progress here because PKCS #11 can't do that job actually! Anders Kyle Hamilton wrote: USB does actually have a PKCS#10 device reader profile. If you were to extend that by adding a generic oh, it also has a device in a slot that performs these functions layer that was exposed through the device-reader profile, it would be universal -- and universally implemented in the platform itself. -Kyle H On Thu, Jul 2, 2009 at 3:16 AM, Anders Rundgrenanders.rundg...@telia.com wrote: I can't help you with the specific problem [:-(] but I can help you with a diagnostic at least. Which is? Smart card vendors have spent decades on fighting each other on the spec/middleware side and naturally we all have to pay the price. Tokens for consumers have therefore been [rightfully] rejected on the pragmatic US market. Is there a workaround? Yes, instead of chasing middleware issues another 10 years or so, I think that the authentication people including Mozilla should define a token with a standard interface that is included in the platform itself regardless if that is Firefox or Windows. The opposite to that is the OpenSC project where every card profile, vendor, and local country variation is treated as feature, while it from a usability point-of-view is really more like a bug. Anders - Original Message - From: Udo Puetz inexg...@googlemail.com Newsgroups: mozilla.dev.tech.crypto To: dev-tech-crypto@lists.mozilla.org Sent: Thursday, July 02, 2009 11:58 Subject: Problem reading certificate from hardware token Hi all, I've googled to and fro and have only found another poster having roughly the same problem as I. The situation is this: I want to authenticate against a juniper SA 2500 firewall with a user and password AND a certificate. I have a safenet iKey 1032 token where I imported the p12 certificate. In firefox (tried 2.0.x, 3.0.x and 3.5.x) I imported the safenet K1PK112.DLL PKCS#11 module. In the firefox cryptography module manager I now see the token and can (after entering the pin) see the certificate. So firefox _can_ read the certificate off of the token. But when I go to the juniper firewall website I get the error message that the certificate can't be found. When I (for testing) take out the token and import the p12 certificate directly into the firefox certificate store I can authenticate against the juniper firewall website with user and pass and the certificate. So the problem seems to be that in the cyrpto module manager firefox can read a certificate off of a token and can't read it off when queried by a website. Where would you think is the problem? Is it within firefox or a problem with the third-party pkcs#11 module? (I'm also in contact with the safenet folks) Thanks a lot, regards Udo Puetz -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
USB device profile for smart-card readers (was: Problem reading certificate from hardware token)
On Thu, Jul 2, 2009 at 1:06 PM, Anders Rundgrenanders.rundg...@telia.com wrote: PKCS #10? I guess you really meant PKCS #11. I'm not aware of any such profile. There is smart card profile but I doubt it has much to do with PKCS #11, it is rather about 7816. You're right, PKCS#11. http://www.usb.org/developers/docs/EH_MR_rev1.pdf But what is 7861? Anyway, the way Firefox is linked to PKCS #11 is probably OK in Linux-land. However, in Windows-land where 80% of all users live it doesn't fill the bill. If it's a standard component, with a standard interface, then there's no reason at all for the OS not to support it. I just don't have any USB devices which support that profile to test. BTW, we still don't have a credible system for *remote* provisioning of smart cards on any OS, so we shouldn't expect too much progress here because PKCS #11 can't do that job actually! There are multiple reasons why we can't do that job: 1) There is no credible remote provisioning because there's no credible third-party manufacturer or third-party trusted authority that banks will allow. 2) There is no credible remote provisioning protocol. 3) There is no desire at/for the bank to allow smart-card login, because there are alternatives that are more useful. (For example, Bank of America will text my celphone an RSA SecurID-like number whenever I try to log into my account. This shows two separate types of authentication: something I know and something I have. Unless both the phone and the network are both tapped and redirected by Mallory, it's unlikely to be a problem. And, let's face it: the US government has access to my financial records anyway.) Kyle Hamilton wrote: USB does actually have a PKCS#10 device reader profile. If you were to extend that by adding a generic oh, it also has a device in a slot that performs these functions layer that was exposed through the device-reader profile, it would be universal -- and universally implemented in the platform itself. -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: USB device profile for smart-card readers (was: Problem reading certificate from hardware token)
Kyle Hamilton wrote: 3) There is no desire at/for the bank to allow smart-card login, because there are alternatives that are more useful Exactly! It doesn't work for the really useful applications that could drive the market. Anders PS. There were some oddities in the USB/P11/OS/7816/Mozilla argumentation but on the outcome we seem to be on the same page DS -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Problem reading certificate from hardware token
On 2009-07-02 12:17 PDT, Anders Rundgren wrote: If you want to use Hardware tokens, PKCS #11, and Firefox you either must be nuts, a masochist, very smart, or highly committed. For ordinary users it makes little sense. Hardware tokens: there are any number of different types PKCS #11: the most difficult to program and administer middleware known to mankind Firefox: doesn't support CA issuers or Windows CSPs Linux: doesn't even provide a crypto service API, or does it? Anders Anders, The user has made a decision and we're helping him with it. I don't find your sniping helpful in any way. I am aware that you have proposed alternative technologies to many of those used in Firefox, and I imagine that you're frustrated that the major browsers are not excitedly switching to those alternatives, but please don't take it out on us. Please refrain from further sniping in this mailing list and newsgroup. Constructive contributions are welcome. In answer to your question: Yes, the Linux Software Base now includes NSS. Numerous products use it, including Google's Chrome and Adobe's Flash Player. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Moving browser PKI forward (Re: Problem reading certificate from hardware token)
Nelson B Bolyard wrote: If you want to use Hardware tokens, PKCS #11, and Firefox you either must be nuts, a masochist, very smart, or highly committed. Anders, The user has made a decision and we're helping him with it. That's fine, I have personally noted that these kinds of problems are rather common while for example using a FAT-formatted USB mass storage unit works without hassles on multiple platforms. This is not something that You or Mozilla is responsible for, it is the *industry* that we both represent that IMO have screw-up big-time. See Kyle's posting regarding on-line banking. I am aware that you have proposed alternative technologies to many of those used in Firefox, and I imagine that you're frustrated that the major browsers are not excitedly switching to those alternatives. It is very frustrating that EU banks and governments are spending hundreds of million dollar per year on software that basically replace the browsers' client-side PKI stuff because the latter are all-over-the-map and does not support the tiniest of requirements such as PIN-codes for soft tokens. Many of these efforts also bypass TLS client-cert-auth for essentially the same reasons why practically nobody uses HTTP Basic or Digest Authentication. but rather make auth a part of the app protocol. Anyway, my analysis shows that updating browser mechanisms like keygen wouldn't actually solve anything because the token products on the market were never designed for on-line provisioning. According to most people who are into consumer PKI, Java applets is the best solution for cross-browser PKI. I think Java applets suck but indeed, that's really all we got. but please don't take it out on us. Please refrain from further sniping in this mailing list and newsgroup. Constructive contributions are welcome. I'm sorry about that. Is there any other place where Mozilla people hang out where there is an interest in trying to understand why and what is happening on the PKI side for consumers? Regarding constructive contributions: IF it would be possible to get some architectural support for introducing XML protocol support in Firefox, I think we could actually move things forward a bit: http://webpki.org/papers/web/XMLBrowserExtensionScheme.pdf If Mozilla want to do this in another way that's fine, the important thing is to get something universally usable running! In answer to your question: Yes, the Linux Software Base now includes NSS. Numerous products use it, including Google's Chrome and Adobe's Flash Player. That's good to hear! Regards Anders Rundgren -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto