Re: Is there a Mozilla security process?
Space Riqui wrote: --- Heikki Toivonen [EMAIL PROTECTED] wrote: after playing around for a while I managed to go to a site I had set a petname for but the petname field showed untrusted (I've been unable to reproduce this, though) This has happened to me a few times with the following web sites: https://tryowa.arvinmeritor.com/ https://chaseonline.chase.com/chaseonline/home/sso_co_home.jsp I tried both and didn't notice this particular problem. OTOH, I noticed petname (and spoofstick) does not handle multitab FF windows correctly, which is very confusing and annoying; maybe that was the cause of your problem? BTW, these sites work fine for TrustBar (now using our 0.4 alpha version which also lets me `rename` them in the bar directly, like `petname`; but I'm quite sure they worked also in the current 0.31 release). Best, Amir Herzberg Hope it helps. Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Criteria for an antiphishing tool
Ian Grigg wrote: 2. This policy seems to have arisen alongside or from a closed meeting of a month or so ago. Duane (representing a CA of 2000 members) didn't get invited to the closed meeting of CAs and browser manufacturers. No minutes, no agenda, no published results. There is only one word for that - compromised. This reply isn't aimed at you Ian, but you happened to mention numbers that are a little out of date. In any case I did ask on several occasions before the event if this was going to be a secret back room deal or open such as the source code only to be shouted down about breach of confidences, what about the confidences of the actual browser users that keeps getting touted as the holy grail. To date I've seen nothing but contempt for most users with the closed meeting and no actual minutes or reports on the event and in fact I'm starting to think using the excuse about protecting users is merely a convenient line to throw out when it suits rather then actually being concerned about their welfare on an active basis. So far to date I still haven't heard from the Mozilla foundation who was present, general over view of the event, any major decisions made likely to effect users of Mozilla software, so on an so forth. Ian as for our numbers, that depends what you want to count... As of the present moment we have 3,328 users that have appeared in person to verify their identity. We have a further 644 that have partially proven their identity, but aren't considered completely verified in the system. We have issued 53,175 certificates of which 28,108 are valid. People have verified 39,284 email addresses and 16,776 domains, and there are 29,808 valid user accounts, of course this number keeps growing by the day, up to date figures can be seen on our website: http://www.cacert.org/stats.php Any other CAs publishing any similar stats? -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers I do not try to dance better than anyone else. I only try to dance better than myself. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Need help w/programmatic installation of Client Certs
Customer demand. We have to support both browsers now. Duane [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Mike Stokes wrote: Thanks again for all of your help Duane. I'm going to go do some more research on this. I can't use any of the technologies that you use due to our in-house development standards and practices - no open source, so no PHP, no OpenSSL, etc. I also need to better understand the root cert technologies at a lower level. Then why are you using firefox? -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers I do not try to dance better than anyone else. I only try to dance better than myself. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Need help w/programmatic installation of Client Certs
Nelson, Thanks for the info. I'm gonna go check out those Netscape reference docs right away. Nelson B [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Mike Stokes wrote: I'm new to the Netscape/Firefox/Mozilla platform and I've been tasked with providing a programmatic method for our customers to use to install client certificates. I'm looking for suggestions on how to approach a solution. Java applet? Extension? Plug-in? None of the above. The functionality is built right in to the browser. A simple HTML is all that is needed to get the browser to generate a Certificate signing request, and another simple page (er, MIME content type) is all that's needed to download the user's new cert chain. This functionality is all inherited from the older Netscape browsers, and much of the original Netscape documentation on this subject still applies. Look at http://wp.netscape.com/eng/security/comm4-keygen.html http://wp.netscape.com/eng/security/comm4-cert-download.html You can ask more questions here. -- Nelson B ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Criteria for an antiphishing tool
Ian Grigg wrote: On the notion of common and consistent security UI policy - how is that any different to follow the leader ? It's synonymous as far as I can see it. sigh The implication of the phrase follow the leader is that we are just doing what others are doing simply because they are doing it. This is clearly not the case - in partnership with the other browser vendors, we are together working out the most appropriate UI and then all implementing it. If anything (given that I wrote the proposal) _we_ are the leader. Do you *oppose* a common and consistent security UI? If not, why am I wasting my time typing this? I apologise for being short with you, but this newsgroup has a great enough volume already without me having to write things which are unnecessary. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Criteria for an antiphishing tool
Ian Grigg wrote: This is clearly not the case - in partnership with the other browser vendors, we are together working out the most appropriate UI and then all implementing it. This is news. Are you intending to announce this or does it remain embargoed ? What is clear about it? Who's in and who's out ? It's not announced yet because it's still very much a draft, and because some organisations involved are a little reticent about their involvement. To take a phrase out of your book, the word is 'diplomacy'. You (mozilla, you, everyone within) are not playing fair. snip So fair is OK, I have big reservations about your ideas but I'm going to implement them anyway? I've just noticed that this email has three more pages to it. I'm sorry, but I don't have time to read it, as I can see it's just an abusive monologue. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
