On 12.04.2010 07:36, Kurt Seifried wrote:
Right but I can't find any contact info for certificate patrol and I
figured if anyone knew about it, they're probably on this list. That
and I couldn't find an add-ons mailing list (how does on get on
contact with them?). The word "contact" doesn't occu
On 09.04.2010 00:41, Matt McCutchen wrote:
On Thu, 2010-04-08 at 09:59 -0700, Robert Relyea wrote:
The yellow larry is a good proposal, and probably implementable much
sooner than noisy warnings.
I'm glad you like it. I guess the next thing needed is for someone to
actually implement it, perh
More sites...
If the user authenticates using a certificate, we could show the
following menu:
www.site.com (disabled menu item)
Log out
x Authenticated (Kai Engert, StartCom Free Certificate Member)
Authent
On 31.03.2010 14:26, Eddy Nigg wrote:
[ Please follow up to mozilla.dev.tech.crypto ]
After some discussion at bug 554594 I'm following up here - the bug was
unfortunately misused by me a little for the initial discussion.
At https://wiki.mozilla.org/Security:Renegotiation under item 4.4 the
On 28.03.2010 06:19, Nelson B Bolyard wrote:
The sequence of events in the dialog is likely, IMO, to give the users the
impression that client authentication is a user-initiated act, rather than
a server initiated act. It seems to say to the user, "if you want to
authenticate to this server with
ut the icons on the status bar, but I'm fine with any location in
primary chrome. If neither client auth nor bad certs are involved, all
icons are hidden.
On 16/03/10 23:12, Kai Engert wrote:
In short, we'd like to stop the current prompts and implement a better
user interface.
On 17.03.2010 02:40, Wan-Teh Chang wrote:
Is your proposal or Aza Raskin's proposal similar to the proposal that
Henry Story of the "foaf" project has been advocating?
No, under the assumption you're refering to http://esw.w3.org/Foaf%2Bssl
Contrary to "foaf+ssl" I'm not proposing any new
I'd like to announce two design documents.
The primary intention is to improve the functionality of SSL client
authentication in Mozilla software.
In short, we'd like to stop the current prompts and implement a better
user interface.
The basic idea is to show an indicator in chrome whenever a
On 23.02.2010 02:21, Jan Schejbal wrote:
Hi,
Test server at https://ssltls.de
none of the two images is visible with my Fx3.6. I don't give any
guarantees about my prefs and addons, though.
Jan
Firefox 3.6 does not yet have any fixes for this. As of today, only the
experimental nightly b
On 23.02.2010 02:21, Jan Schejbal wrote:
Hi,
Test server at https://ssltls.de
none of the two images is visible with my Fx3.6. I don't give any
guarantees about my prefs and addons, though.
Jan
Firefox 3.6 does not yet have any fixes for this. As of today, only the
experimental nightly b
On 18.02.2010 02:45, Eddy Nigg wrote:
If you currently have a https site that's partly open and partly
accessed only with client authentication, I think the only reasonable
way out is to break it in two.
Not sure what you mean, but the server doesn't accept client initiated
renegotiation. R
Eddy Nigg wrote:
On 12/28/2008 01:13 PM, Kai Engert:
The current Mozilla CA Certificate Policy says:
"6. We require that all CAs whose certificates are distributed with our
software products: ... provide attestation of their conformance to the
stated verification requirements ..."
Ian G wrote:
Which language suggests they have to do verification *themselves* ?
The fact that the policy talks about a CA, and I didn't see talk about
external entities.
BTW, it would be quite problematic to insist that the CAs do this job
themselves.
CAs are not generally experts on the
After having read the posts related to the "unbelievable" event, I
understand the event involved an approved CA and an external entity they
work with.
From my perspective, it's a CA's job to ensure competent verification
of certificate requests. The auditing required for CAs is supposed to
prov
Nelson B Bolyard wrote:
Pardon my ignorance, but, what is CentOS ?
CentOS is the name of a Linux distribution.
Kai
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https:
Nelson Bolyard wrote:
SM 2.0 alpha pre-release does use NSS 3.12, but it still does not support
EV UI. Although I use SM trunk builds exclusively, I have never seen a
"green bar" or the authenticated web site principal name or country name
in the "chrome" anywhere. I see no difference between E
Nelson Bolyard wrote:
SM 2.0 alpha pre-release does use NSS 3.12, but it still does not support
EV UI. Although I use SM trunk builds exclusively, I have never seen a
"green bar" or the authenticated web site principal name or country name
in the "chrome" anywhere. I see no difference between E
Wan-Teh Chang wrote:
- The password must be at least seven characters long.
- The password must consist of characters from three or more character
classes (uppercase, lowercase, digits, etc.).
NSS rejects abcDEF7 although it matches your above description.
Kai
smime.p7s
Description: S
Kai Engert wrote:
Subrata Mazumdar wrote:
I am using Firefox 3.0.3. I have FIPS enabled the software security
device using "Secuirty Devices" dialog window in PSM.
This step forced me to add password protect the internal Key token
(Software security device).
Then, I tried to
Subrata Mazumdar wrote:
I am using Firefox 3.0.3. I have FIPS enabled the software security
device using "Secuirty Devices" dialog window in PSM.
This step forced me to add password protect the internal Key token
(Software security device).
Then, I tried to change the password of the "internal k
Neil wrote:
Bug 110161 turned on OCSP by default. It also followed this up by
changing the UI from a group of three radio buttons to a checkbox and a
pair of radiobuttons. However these three controls fight over the same
preference. This makes for some hairy preference code, but also I
noticed
Nelson B Bolyard wrote:
Wan-Teh Chang wrote, On 2008-09-02 10:36:
I believe this is the relevant source code in Firefox:
http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSSComponent.cpp#1596
The above code sets the default for a new socket.
I believe this
Dominik schrieb:
I am developing a JavaScript-based Firefox add-on which could make use
of cryptography primitives like encrypting/decrypting short strings
with RSA/AES.
A pure JS implementation of those algorithms is way to slow. I have
come across the NSS library which seems to be part of the
[EMAIL PROTECTED] wrote:
for "normal" CAs, it's an easy task to add them as trusted root to
Mozilla. Now I'm trying to setup my own local extended validation CA.
Is it possible to add it locally as trusted root? On the OpenSSL
mailing list I was told this wouldn't be an easy tasks, as EV CAs are
On behalf of Bob Relyea, who did the majority of the work on this
feature, we would like to announce that a new feature for sharing the
NSS database amongst multiple applications is ready for testing.
The feature is included in NSS 3.12 which is the version that got
shipped in Firefox 3.
We
reference to [EMAIL PROTECTED]'
: undefined reference to [EMAIL PROTECTED]'
: undefined reference to `PR_Initialized'
: undefined reference to [EMAIL PROTECTED]'
Thanks
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kai Engert
Sent: Frid
Sune Mølgaard wrote:
With sm trunk, I get a whole bunch of prompts for the master password on
startup.
https://bugzilla.mozilla.org/show_bug.cgi?id=348997
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-tech-crypto mailing list
de
Ruchi Lohani wrote:
Hi,
Can anybody tell me something about the various nss packages that are
there in ubuntu (hardy).
I see libnss3-0d
libnss3-1d
libnss3-1d-dbg
libnss3-dev
etc.
I have the following in my /usr/lib
lrwxrwxrwx 1 root root 13 200
Abraham wrote:
I deployed an applet that uses jss in order to get certs (and
associated private keys) on firefox keystore and sign electronic
documents. The applet works well in Firefox 2, but in Firefox 3 the
browser crashes when my implementation of PasswordCallback provides
the token passwo
Pawel P wrote:
I want to overwrite default mozilla 1.9 behavior in https flow.
I want to be informed about certificates (especially bad).
I'll show my own "certificate dialogs" to user and user will decide
if accept certificate or not.
In mozilla 1.8 I used nsIBadCertListener interface to do abo
Eddy Nigg (StartCom Ltd.) wrote:
> For the sport I'm following http://wiki.mozilla.org/PSM:EV_Testing and
> I'm not sure about the fourth paramenter of the test_ev_roots.txt
> file: 4_serial
>
> The page says: "One noteworthy detail are the issuer and serial number
> fields, those most be p
I have one on my local system.
Kai
Eddy Nigg (StartCom Ltd.) wrote:
> Has anybody a debug build running somewhere as described at
> http://wiki.mozilla.org/PSM:EV_Testing ? I'd like to ask for a small
> favor before tinkering with my own build...
___
Boris Zbarsky schrieb:
> Kai Engert wrote:
>> nsIX509Cert expects the underlying CERTCertificate to be complete and
>> valid, and serializing/restoring it based on the DER representation
>> will ensure it.
>
> The message I got from Nelson's reply is that t
Boris Zbarsky schrieb:
> I'm not sure what parts of the CERTCertificate are needed for this; I'm
> hoping
> someone here will know.
>
I would propose you always save the full CERTCertificate.
I would prefer that we avoid having to implement special code for an
after-restore scenario where o
Boris Zbarsky schrieb:
> I'm looking into serializing and deserializing principals, and to do this for
> certificate principals I would need to be able to save out an
> nsNSSCertificate.
> This means saving a CERTCertificate, in addition to various other things
> that
> I think I know how to
Nelson B schrieb:
> Dave Townsend wrote:
>
>> Nelson Bolyard wrote:
>>
>>> $18/year is too expensive, eh?
>>>
>> Heh, this is true. My attempts to find cheap SSL certificates had only
>> yielded $100/per year jobs. Given that they are not that expensive I
>> have started doing a st
Nelson Bolyard wrote:
> I wrote (quoting Bill Burns):
>
> One error I get while attempting to authenticate to an internal site
> with my certificate-on-a-smartcard is this one:
> "Alert: An internal failure has been detected. It not possible to
> complete the requested OCSP oper
[EMAIL PROTECTED] wrote:
> On Mar 30, 7:13 pm, "Bill Burns" <[EMAIL PROTECTED]> wrote:
>
>> Yes -- and we'll have screen shots of example websites that are
>> throwing OCSP-related errors because some well-known public CAs
>> are not scaled up to fully support OCSP. With Vista, this is
>> goin
Both your root.cert and cacert.cert seem to have same serial number and
issuer.
That is forbidden.
But even if your certs had unqiue serial numbers, I don't know whether
NSS would be able to fetch that intermediate dynamically from the web. I
doubt it.
Kai
Anders Rundgren wrote:
The follo
Bob Relyea wrote:
Matthew Gertner wrote:
We want our extension to have its own certificate database, separate
from the one used by Firefox. Apparently this will be possible with
NSS 3.11, but I was told that there might be an issue with the
internal data structures. If PSM handles global initi
Nelson B Bolyard wrote:
Presently, A user must initiate the first fetch of a CRL from the CA.
CRLs are fetched asynchronously from cert chain validation.
CRLs are stored on disk locally, IIRC. After fetching the first one,
mozilla clients will fetch subsequent CRLs automatically on a periodic
ba
lizes NSS, then no NSS databases will be available to Firefox, eg.
all SSL connections will fail due to the lack of trusted CA certs.
I can't help you with which PSM functions you need to call to ensure
that PSM is initialized unfortunately, but Kai Engert should know the
answer.
PSM will
Brian Ryner wrote:
I'll do some profiling to make sure it's the DB initialization that's
causing the performance hit.
I guess maybe I should have mentioned that I'm currently using these
methods through the nsICryptoHash XPCOM wrapper.
I recommend that you continue to use this API.
Using thi
Wan-Teh Chang wrote:
So, if the app has already initialized NSS,
you just go ahead and use NSS functions. Else,
you have to initialize NSS (in the "no database"
mode) first, and have to shut down NSS.
This sample code assumes that this thread is
the only thread that may initialize NSS in the
ap
[EMAIL PROTECTED] wrote:
I know there is some problem in my PKCS#11 implementation, but,
FireFox should not crash because of my bugs.
If your code has bugs and corrupts memory, you can't expect the rest of
the process to work correctly.
> 7. FireFox crashed with the following error message:
Kai Engert wrote:
Jean-Marc Desperrier wrote:
I don't know where Bob's message appeared originally. It's not on the
newsserver, on google or my mail (might be the fault of the strong
filtering on alussinan.org).
Bob sent his message to the dev-tech-crypto mailinglist that
Jean-Marc Desperrier wrote:
I don't know where Bob's message appeared originally. It's not on the
newsserver, on google or my mail (might be the fault of the strong
filtering on alussinan.org).
Bob sent his message to the dev-tech-crypto mailinglist that is supposed
to mirror the newsgroup.
Yesterday we checked in a larger change to the trunk that affects secure
connections (SSL/TLS) in all Mozilla applications.
The new code is active whenever you access a site using a protocol like
https:// or imap+ssl or smtp+tls, etc.
The purpose of the change is to make OCSP (certificate val
Nelson B wrote:
Philip Hoyer wrote:
I was wondering if it is possible to get hold of, within a Firefox plug
in code or Javascript, the certificate of the server of the SSL session
(one way) of the page on which the plug in or script resides.
So basically
1) URL typed into browser https:
re builds of Firefox, Thunderbird and Semonkey for Linux, Mac OS
X and Win32 available. (All names are trademarks of their respective owners)
http://kuix.de/mozilla/ocspproxy/20060202/
Please feel free to provide feedback by private mail (kengert@), all
comments are highly welcome.
Thanks and Regar
to solve the problem of unwinding our
blocking NSS APIs from Necko, so we can use Necko while we are blocked.
Kai
Jean-Marc Desperrier wrote:
Kai Engert wrote:
Did you produce an application that includes not just NSS, but also
PSM and it's additional SSL layering? If your own applicatio
As of today, OCSP in NSS does not work from within an environment that
requires the use of a proxy server to access the OCSP responder server.
Instead of extending NSS' internal HTTP client with support for proxies,
we are working on a mechanism that allows a client application to do
HTTP comm
201 - 252 of 252 matches
Mail list logo