Re: Proposal to split this list

Paul Hoffman wrote: > Having a separate policy list would help the technology folks focus > on what they do best. It would also help keep the policy people keep > their discussion out of bits-on-the-wire and up in the "what should > we be doing" layer. OK, then. https://bugzilla.mozilla.org/show_b

Re: SHA1 considered a PITA

Ian, Ian G wrote: On 26/1/09 19:43, Jean-Marc Desperrier wrote: About Apache, it seems the potential problem is more with OpenSSL, it will not enable SHA-2 by default if you only enable the default algorithms for SSL. But I think most people choose instead to initialize all the algorithms Open

Re: RSA Keygen problem

Jean-Daniel, Jean-Daniel wrote: On Jan 24, 2:46 am, Julien R Pierre - Sun Microsystems wrote: Jean-Daniel, Jean-Daniel wrote: Since the death of OpenDarwin, I think the only Darwin stand alone projet is PureDarwin. But there is not yet a stable version. And in the list of required processor,

Re: Server Gated Cryptography

"what is THIS bit? And why is it set on some and not others?" It's vestigial, and it should be removed simply as good housekeeping. If this is the attitude of all of the Mozilla devs, no wonder it's impossible to figure out the codebase without devoting weeks to studying it. I humbly suggest th

DCSSI Root Inclusion Request

Frank has asked me to help with the public discussion phase for CA requests. The CA Schedule at https://wiki.mozilla.org/CA:Schedule has been changed into a queue. I will keep that page updated as requests enter/complete discussion or complete the information gathering/ verification phase. DCSSI is

Re: RSA encryption via XUL (or XPCOM)

karl wrote, On 2009-01-26 12:39: > Help: Does anyone know of an XPCOM component that will encrypt/decrypt > a XUL string using RSA encryption. > > I can do it using javascript RSA libraries students.stanford.edu/~tjw/jsbn/>, but they are too slow (250ms) when > decrypting 250ms

Re: Server Gated Cryptography

Gervase Markham wrote, On 2009-01-26 05:27: > Nelson Bolyard wrote: >>> If it is the latter, what would be the effect of us removing the SSL >>> Step Up trust bit in NSS for the list of roots you give? >> No effect whatsoever. > > Super. Would you care to file a bug to do that, or shall I? :-) Wh

RSA encryption via XUL (or XPCOM)

Help: Does anyone know of an XPCOM component that will encrypt/decrypt a XUL string using RSA encryption. I can do it using javascript RSA libraries , but they are too slow (250ms) when decrypting (I need to decrypt a bunch of strings (~30) at a tim

Re: SHA1 considered a PITA

On 01/26/2009 08:43 PM, Jean-Marc Desperrier: It should work with Windows Server 2003 (not with 2K) and Windows XP clients **with SP3**. The problem we were seeing is, that IIS (or better the certificate viewer - MMC certificate snap-in) complains about invalid signature or certificate corrup

Re: SHA1 considered a PITA

On 26/1/09 19:43, Jean-Marc Desperrier wrote: About Apache, it seems the potential problem is more with OpenSSL, it will not enable SHA-2 by default if you only enable the default algorithms for SSL. But I think most people choose instead to initialize all the algorithms OpenSSL knows about, and

Re: SHA1 considered a PITA

Eddy Nigg wrote: On 01/26/2009 04:12 PM, Ian G: No, I can't tell you exactly, I just read s**t on the net :) Because the only show-stopper I found was with Windows 2003 (most likely 2K as well) and Windows XP clients. At least with W2K3 it's a real problem. So far I couldn't see any problem w

Re: SHA1 considered a PITA

On 01/26/2009 04:12 PM, Ian G: No, I can't tell you exactly, I just read s**t on the net :) Because the only show-stopper I found was with Windows 2003 (most likely 2K as well) and Windows XP clients. At least with W2K3 it's a real problem. So far I couldn't see any problem with Apache + Fir

Re: SHA1 considered a PITA

On 26/1/09 14:03, Eddy Nigg wrote: On 01/26/2009 01:57 PM, Ian G: More on that "SHA1 disaster brewing" thing. My today understanding (wait until tomorrow before challenging ...) is it could be as bad as this: * servers need to support TLS1.2 before the old hash family is gone. * clients need to

Re: Server Gated Cryptography

Nelson Bolyard wrote: >> If it is the latter, what would be the effect of us removing the SSL >> Step Up trust bit in NSS for the list of roots you give? > > No effect whatsoever. Super. Would you care to file a bug to do that, or shall I? :-) Gerv -- dev-tech-crypto mailing list dev-tech-crypto

Re: SHA1 considered a PITA

On 01/26/2009 01:57 PM, Ian G: More on that "SHA1 disaster brewing" thing. My today understanding (wait until tomorrow before challenging ...) is it could be as bad as this: * servers need to support TLS1.2 before the old hash family is gone. * clients need to support old hashes until the serve

Re: DSV/S-TRUST root inclusion request

On 22/1/09 20:53, Kyle Hamilton wrote: (sorry for the late response.) On Wed, Dec 17, 2008 at 4:20 AM, Ian G wrote: On 17/12/08 12:42, Kyle Hamilton wrote: But... ... and would also violate the archival principle (that signatures of archived documents can be verified via the presence of

SHA1 considered a PITA

More on that "SHA1 disaster brewing" thing. My today understanding (wait until tomorrow before challenging ...) is it could be as bad as this: * servers need to support TLS1.2 before the old hash family is gone. * clients need to support old hashes until the servers stop TLS1.1 * we have

Re: Policy: revoke on private key exposure

On 22/1/09 02:17, lots of people wrote: At 3:45 PM -0800 1/21/09, Nelson B Bolyard wrote: Perhaps Mozilla should change its policy to require CAs to revoke certs when the private key is known to be compromised, whether or not an attack is in evidence, as a condition of having trust bits in Firef

Re: Policy: revoke on private key exposure

On 25/1/09 22:06, Florian Weimer wrote: * Ian G.: What I know of, not exclusive or reliable: ... 2. while certificates by their nature and name are often public ("public key"), that doesn't mean that anyone else can use them. Indeed, some CAs go to the extent of making their certificates