On 2010-06-06 20:38 PDT, james07 wrote:
I would like to create a plug-in for Firefox that, when invoked,
generates a new key in the Firefox key/certificate store. Is it possible
to generate a new keypair in using NSS from the plug-in, or do I need to
somehow call crypto.generateCRMF() via
On 2010-06-04 19:21 PDT, TEO Tse Chin wrote:
I encountered an expired cert for an IMAP (STARTTLS) server from an
ISP. While I've followed up with the ISP about the expired cert,
there was something about Thunderbird's behavior that caught my
attention.
In the Add Security Exception dialog
On 2010-06-06 11:22 PDT, aerow...@gmail.com wrote:
File a bug.
No, don't. It would be a duplicate. Find the bug already on file.
It's probably already resolved WONTFIX.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
On 2010/06/03 13:57 PDT, PDF3 SecureEmail wrote:
According to the link at
http://social.technet.microsoft.com/Forums/en-US/officeappcompat/thread/3a19bbc7-9c6b-40ec-823d-16fd88e8de38
Outlook 2010 is OL2010 is using “sender key ID” instead of “issuer
name and serial number” – as per an SMIME
On 2010/06/01 07:04 PDT, Sebastian Mayer wrote:
Solved - and this was again a FIPS issue. The AES_MAC is not in the
list of support mechanism in the fips-related security policy.
That's strange. I'm not sure if that's intentional or a bug.
Bob, Glen, Do you know?
Is there a reason for this
On 2010/06/01 11:38 PDT, Kathleen Wilson wrote:
Is there support in NSS to restrict an intermediate CA to only be able
to issue SSL certificates within a specified domain?
Yes, the issuer of the intermediate CA cert can constrain the names that
may appear in certificates issued by that
On 2010/05/31 02:02 PDT, Sebastian Mayer wrote:
Hi All,
I'm having some difficulties in creating a simple AES key as follows:
CK_OBJECT_HANDLE hKey;
CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
CK_KEY_TYPE keyType = CKK_AES;
CK_BYTE keyValue[] = {
0x01, 0x23, 0x45,
On 2010/05/31 11:12 PDT, Sebastian Mayer wrote:
Sebastian Mayer wrote:
And maybe I should also add that I'm running the module in FIPS mode.
yes, that's the crucial detail.
See my reply to your original post.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
On 2010/05/23 04:11 PDT, Florian Weimer wrote:
Is there a reference manual for the public NSS API, specifically the
TLS part, the certificate API?
(The ASN.1 and CMS functions might be interesting at some point, too.)
The references are all on line. The most well documented part of the API
On 2010-05-19 03:40 PDT, Šandor Feldi wrote:
Jean-Marc Desperrier wrote:
The web site is also something you develop ?
Thanks for answering. No I do not develop the site and don't have any way
to access or configure apache, and it happens on different sites too... I
forgot to point out, that
On 2010-05-17 08:41 PDT, johnjbarton wrote:
Cormac Herley provides a detailed exploration of dangers of
inappropriate security warnings:
https://docs.google.com/viewer?url=http%3A%2F%2Fresearch.microsoft.com%2Fen-us%2Fum%2Fpeople%2Fcormac%2Fpapers%2F2009%2Fsolongandnothanks.pdfpli=1
Why
On 2010-05-17 10:31 PDT, johnjbarton wrote:
On 5/17/2010 10:23 AM, Nelson B Bolyard wrote:
My favorite quote:
Given a choice between dancing pigs and security,
users will pick dancing pigs every time.
It's so true. If you really want to disable all security warnings
On 2010-05-14 14:21 PDT, Kathleen Wilson wrote:
Of course, the followup question for folks familiar with PSM...
Is there a hidden preference (or other capability) in the PSM that can
be set to make my Firefox browser display a warning when a 1024-bit cert
is used? e.g. similar to what
On 2010-05-15 01:35 PDT, Wan-Teh Chang wrote:
On Fri, May 14, 2010 at 11:18 PM, Nelson B Bolyard nel...@bolyard.me wrote:
I looked through PSM for such a warning briefly. I found a warning for
sites that use symmetric encryption of strength = 90 bits, but I found
nothing that specifically
On 2010-05-13 14:30 PST, Kathleen Wilson wrote:
Is there an NSS environment variable that can be set such that a warning
is provided when a 1024-bit cert is used in Firefox?
No. Any NSS environment variable would disable a feature completely, not
result in it causing a warning. Any variable
On 2010-05-11 23:23 PST, firefox3.user Nate wrote:
I'm trying to use NSS for adding a new signer to a previously computed
CMS signature, but i can't achieve that, and i have found examples
nowhere.
The first signature is made with the call sequence :
NSS_CMSMessage_Create /
On 2010-04-23 11:33 PST, Nelson B Bolyard wrote:
With my list moderator hat on, I ask this list:
what is your opinion of the Hack in the Box posts to this list?
Are they sufficiently on-topic to let them continue?
or should the list moderation software treat them as spam?
You may reply
On 2010/05/07 12:16 PDT, Klaus Heinrich Kiwi wrote:
On Tue, 04 May 2010 09:28:58 -0700
Nelson B Bolyard nel...@bolyard.me wrote:
It's all handled by the SSL library.
Nelson,
but when implementing a PKCS#11 token, we should be performing the
PKCS#11 v1.5 padding for the CKM_RSA_PKCS
On 2010/05/05 11:29 PDT, M.Hunstock wrote:
I forgot to set some attributes in the PKCS#11 storage object
containing the certificate, including the issuer DN. Apparently that was
the reason for the failing behaviour.
Yes, that will do it.
I haven't found that earlier because I assumed NSS
On 2010-05-03 12:58 PST, Ramon de Carvalho Valle wrote:
I'm having problems with my PKCS #11 implementation and mod_nss. The
requests using SSLv3 protocol fails with bad_record_mac (20). I think
the problem is in client_key_exchange (16), and
OK, that's a possibility, one of many.
I would
On 2010-05-04 05:41 PST, Ramon de Carvalho Valle wrote:
SSLTAP shows the ClientKeyExchange message length in client_key_exchange
(16) is 130 (0x82) for TLSv1 and 128 (0x80) for SSLv3.
Yes, that is a difference between the two protocol versions.
TLS encodes the encrypted pre-master secret
On 2010-05-04 06:41 PST, M.Hunstock wrote:
Hi all,
I am currently developing an application for cryptographic
personalization of smart cards. One of the important usage scenarios is
(of course) SSL client authentication via a web browser. Now that my app
produces cards, I have a strange
On 2010-05-04 08:24 PST, Frédéric SUEL wrote:
I would like to know if RSA 2048 digital signature with SHA hash (224,
256 and more bit) is possible in Mozilla products. In particuler if i
can realise a RSA 2048/SHA 256 digital signature with Thunderbird 2.x
or 3.x
The underlying NSS crypto
On 2010-04-30 06:38 PST, Bob Foss wrote:
There are no artifacts on the ftp site for JSS 4.3.2:
ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/
Check again. You may find it has been updated.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
On 2010-04-30 10:25 PST, Marsh Ray wrote:
On 4/30/2010 12:17 PM, Nelson B Bolyard wrote:
Unfortunately, Sun's JRE requires signed jars for JCE providers,
so the Mozilla signed jar file is pretty useful.
Signed bits may be available directly from Sun. It's also conceivable
that IBM or some
On 2010/04/30 11:11 PDT, Marsh Ray wrote:
On 4/30/2010 12:51 PM, Bob Foss wrote:
Everything, I've read indicates that a JCE Provider's signing cert
must be signed by a cert from Sun (or maybe IBM).
On 2010-04-29 14:06 PST, Jose Maria Ramirez wrote:
Hello. I am working on a HTTP Proxy in order to access any type of
server through a web browser. So far, only http servers can be accessed.
I am trying to access my windows live (hotmail) account and apparently
the handshake is successful.
On 2010-04-29 11:34 PST, David Stutzman wrote:
Sorry I keep having so many issues with EC :)
Using vfyserv from nss-3.12.6 built using mozilla-build on Vista32.
C:\usr\mozillavfyserv.exe -d . -p 9444 ferret.pki
Connecting to host ferret.pki (addr 192.168.1.171) on port 9444
Error in
On 2010-04-27 22:40 PST, Huzaifa Sidhpurwala wrote:
[...] i want to write a function using nss where i can verify
that the file indeed is a pkcs#8 key.
Any idea if this can be really done?
Does PK11_ImportDERPrivateKeyInfoAndReturnKey work for you?
--
dev-tech-crypto mailing list
On 2010-04-27 05:35 PST, mathieu wrote:
I am looking at the nss source code but I cannot find the man page
for cmsutil. All I can find is an online reference:
http://www.mozilla.org/projects/security/pki/nss/tools/cmsutil.html
That's the man page, such as it is.
did I miss anything ?
On 2010-04-27 07:07 PST, David Stutzman wrote:
I just built nss-3.12.6 with the tarball from mozilla.org[1] and when I
try to create a new DB using certutil -N -d . I get the following
error. I'm running certutil out of the dist folder in the nss source
tree after it's built.
certutil:
On 2010/04/27 06:46 PDT, mathieu wrote:
I am trying to understand how to use cmsutil. Here is a self-
contained shell script:
DB=MM
PASSWD=$DB/passwd.txt
RS=$DB/rand.seed
CANN=netauth.com
certutil -N -f $PASSWD -d $DB
certutil -S -s cn=netauth ca,dc=netauth,dc=com -n $CANN \
-f
On 2010/04/23 09:19 PDT, Tomas Kubina wrote:
Hi all,
I am developing new PKCS11 module and I would appreciate help with
this. When I want to see certificate on my token, firefox get all
attributes of the certificate, which it wants, but then tries to find
objects with CKA_CLASS = ce534353.
On 2010/04/22 10:17 PDT, Jose Maria Ramirez wrote:
Hello, I am trying to build JSS, and I get the following errors:
d:\mozilla\security\jss\org\mozilla\jss\util\SSLerrs.h(389) : error
C2065: 'SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET' : undeclared identifier
[snip]
where should each of
On 2010/04/23 11:37 PDT, Robert Relyea wrote:
On 04/23/2010 09:19 AM, Tomas Kubina wrote:
Hi all,
I am developing new PKCS11 module and I would appreciate help with this.
When I want to see certificate on my token, firefox get all attributes
of the
certificate, which it wants, but then
On 2010-04-18 21:16 PST, johnjbarton wrote:
I see nothing wrong with users contacting sysadmins. I object to using
the browser as a platform for badgering Web developers to contact
sysadmins on your behalf.
You continue to make the mistake of assuming that users have no vested self
interest
On 2010/04/19 08:33 PDT, johnjbarton wrote:
On 4/19/2010 1:42 AM, Nelson B Bolyard wrote:
On 2010-04-18 21:16 PST, johnjbarton wrote:
I see nothing wrong with users contacting sysadmins. I object to
using the browser as a platform for badgering Web developers to
contact sysadmins on your
On 2010/04/19 11:32 PDT, johnjbarton wrote:
On 4/19/2010 10:52 AM, Nelson B Bolyard wrote:
On 2010/04/19 08:33 PDT, johnjbarton wrote:
The browser's legitimate role here informs users on the connection they
have to a server. If Firefox is presenting a user interface that shows
a secure
On 2010-03-15 05:25 PST, Rafa M wrote:
Hi all,
I'm testing some SSL sites in order to check SSL cert chains up to new
root certificate from FNMT-RCM (Spanish Mint).
I've tried to connect several Official sites
(https://www.agenciatributaria.gob.es https://sedemeh.gob.es/) and I got
On 2010-04-18 01:49 PST, Nelson B Bolyard wrote:
On 2010-03-15 05:25 PST, Rafa M wrote:
Hi all,
I'm testing some SSL sites in order to check SSL cert chains up to new
root certificate from FNMT-RCM (Spanish Mint).
I've tried to connect several Official sites
(https
On 2010/04/16 17:47 PDT, Mountie Lee wrote:
I really want digital signing feature on firefox as native without plugin.
Do you know about Firefox's crypto.signtext JavaScript feature?
It may not be perfect (as Anders will no-doubt remind us) but it's in
Firefox and requires no plugin.
--
On 2010/04/14 04:15 PDT, Developer wrote:
Hello,
After test several pages with Firefox, in HTTPS mode.
Why I can not know what part of page is unencrypted?
I see a warning of some parts are unencrypted, but what parts?
A very big problem using data scheme under https downloaded page (old
On 2010/04/12 11:16 PDT, Eddy Nigg wrote:
On 04/12/2010 08:18 PM, Eddy Nigg:
On 2010-04-08 22:17 PST, Anders Rundgren wrote:
Mountie Lee wrote:
I mean CKA_EXTRACTABLE.
as a Sub-CA, when they issue client certificate, they want to make sure
the private key will [not] be exported outside of browser keystore. the
only one exception is when the private key is in hardware
Mountie Lee wrote:
Thanks Eddy.
in IE
the service provider can choose the private key can be exportable or not.
the manual configuration is not so attractive for service provider.
On 2010-04-08 04:14 PST, Anders Rundgren wrote:
Hi Mountie,
A service provider cannot specify *anything*
On 2010/04/08 10:53 PDT, Wan-Teh Chang wrote:
On Thu, Apr 8, 2010 at 10:08 AM, Nelson B Bolyard nel...@bolyard.me wrote:
A PKCS#11 CSP can indeed choose to make private keys exportable or not.
A FIPS mode CSP will generally make private keys unexportable.
NSS's NON-FIPS PKCS#11 CSP can also
On 2010/04/08 11:11 PDT, Anders Rundgren wrote:
Nelson B Bolyard wrote:
snip
Hi Mountie,
A service provider cannot specify *anything* regarding key protection
using Firefox.
Anders, I think Mountie was referring to Crypto Service Provider (CSP),
which is Microsoft's name for software
On 2010/04/08 09:35 PDT, johnjbarton wrote:
On 4/7/2010 9:35 PM, Nelson B Bolyard wrote: ...
Inconveniencing the users is a NECESSARY part of getting this
vulnerability fixed. Without that, the servers have NO INCENTIVE to
lift a finger to fix this.
...
The claim is obviously false
On 2010-04-07 01:54 PST, Jean-Marc Desperrier wrote:
Matt McCutchen wrote:
On Apr 6, 5:54 am, Jean-Marc Desperrierjmd...@gmail.com wrote:
Matt McCutchen wrote:
An extended key usage of TLS Web Server Authentication on the
intermediate CA would constrain all sub-certificates, no?
You
On 2010/04/07 10:43 PDT, Matt McCutchen wrote:
On Wed, 2010-04-07 at 09:55 -0700, johnjbarton wrote:
On 4/4/2010 10:41 PM, Daniel Veditz wrote:
We plan on alerting users in a future update. This is fair warning
to server operators and those who are debugging their sites.
If this is a real
On 2010/04/05 10:12 PDT, G. Richard Bellamy wrote:
I should have been more clear, I was asking if signtool, certutil, etc,
could run in FIPS mode.
Absolutely, yes. It all depends on whether the softoken PKCS#11 module
is configured to be in FIPS mode or not. If it is, then any program that
On 2010-04-03 04:29 PST, Eddy Nigg wrote:
On 04/03/2010 01:07 PM, Nelson B Bolyard:
This is true because the attacker can arrange it so that the victim
client's first handshake is actually a renegotiation for the server.
It's NOT a renegotiation for the client, but it IS for the server
On 2010-04-02 14:06 PST, Eddy Nigg wrote:
Hi Bob,
On 04/02/2010 01:34 AM, Robert Relyea:
When a client (as in our case Firefox) implements RFC 5746, the
client can't be compromised and no data is leaked from the client. I
propose that Firefox should support the RFC 5746 extension
On 2010-04-02 11:07 PST, G. Richard Bellamy wrote:
I have some questions about signtool. Once again, these are probably
n00b questions, so I apologize if they’ve been covered elsewhere… any
guidance on relevant links would be much appreciated (e.g. a link to a
clearinghouse for doco on NSS and
On 2010-03-26 12:04 PST, Kai Engert wrote:
On 26.03.2010 13:44, Gervase Markham wrote:
I've been looking at your documents, but I do think this is a case where
a picture is worth a thousand words. Do you have any plans to provide UI
mockups?
Hi Gerv,
thanks a lot for your feedback. I've
On 2010/03/18 19:55 PST, Mountie Lee wrote:
Hi. all. I'm Mountie Lee of PayGate, Korea.
Welcome.
in Korea, National PKI is becoming big issue maker. one of good
considerations is storing National Certificate to Browser KeyStore.
Are you talking about a root CA certificate?
Or a user's own
On 2010/03/18 20:09 PST, Gen Kanai wrote:
KISA = Korea Internet Security Agency (a Korean government body that
manages infosec policy.)
Yeah, the NSS team has had a fair amount of interaction with KISA in the
past, such as when we integrated their implementations of SEED and the TLS
SEED cipher
On 2010/03/17 09:44 PST, Gregory BELLIER wrote:
Sorry, my two emails are one after the other.
As I said in the previous one, I copied the SEED. Basically, I did grep
-i seed $(find mozilla -type f -print) -l followed by a grep -irn 0096 *
I copied all the occurences of SEED the cipher and
On 2010-03-12 22:12 PST, Anders Rundgren wrote:
Why is replacing the 15 year old Netscape hack suddenly a bad idea?
Anders,
Your message is evidently a reply to some other message which was not
sent to this list, and which you did not quote. Please provide a URL
where interested readers of this
On 2010/03/11 09:37 PST, Robert Relyea wrote:
On 03/11/2010 05:59 AM, Anders Rundgren wrote:
Hi,
I can't help it, but TLS client cert auth is really a very crappy system
when used in browsers.
Anders, you've expressed that opinion before in this forum many times.
You're entitled to that
On 2010-03-05 15:58 PST, Wan-Teh Chang wrote:
On Wed, Mar 3, 2010 at 4:05 AM, Jean-Marc Desperrier jmd...@gmail.com wrote:
TLS depends on the cipher-suites, and fortunately it's not hard-coded.
Unfortunately, the first cipher suites using SHA256 are the one defined in
TLS1.2 (RFC5246), and I
On 2010/02/22 02:11 PST, makrober wrote:
Nguyễn Đình Nam wrote:
What you're trying to do is a who is watching the watchers kind thing...
...Every existing CA [...] made a promise to comply to the universal PKI
trust policy, we just need a scheme to enforce their promise.
If we need a
On 2010-02-18 03:06 PST, Michael Ströder wrote:
I'm using Seamonkey 2.0.3 under Linux. Is there a way to list and tweak the
cached S/MIME capabilities for certain recipients?
There is no way to list them, at present. There could be. It just doesn't
exist. As for tweaking them, they get
On 2010-02-20 08:46 PST, Nguyễn Đình Nam wrote:
[yet another promotion of perspectives]
Questions/issues:
1. How do you secure the connection to the perspectives server?
(This is a recursive problem)
2. How do you avoid false reports for the multiple servers that legitimately
claim to be the
On 2010/02/03 08:04 PST, John J. Barton wrote:
Kyle Hamilton wrote:
I believe there's something available called KeyManager that should
help, from https://addons.mozilla.org/en-US/firefox/addon/4471 . It
uses XPCOM IDL to access the platform security module. (It also has
an explicit .xpi
On 2010-01-25 17:09 PST, tcma wrote:
I downloaded mozilla192 source on kbuntu 9.10 and did make -f client.mk.
How to build incrementally at the security/nss/lib/pk11wrap directory?
This result in a compile error:
$ cd security/nss/lib/pk11wrap
$ make
Creating ../../../../dist/public/nss
On 2010/01/18 09:52 , Kai Chan wrote:
In cert.h
(http://mxr.mozilla.org/security/source/security/nss/lib/certdb/cert.h#714),
there is a line about obsolete functions:
**OLD OBSOLETE FUNCTIONS with enum SECCertUsage - DO NOT USE FOR NEW CODE
You may assume that particular commment was
On 2010-01-08 13:06 PST, Klaus Heinrich Kiwi wrote:
Given what you just said, openCryptoki seems to be correctly returning
CKR_TEMPLATE_INCOMPLETE when NSS is trying to C_CreateObject() with
vendor-defined object classes.
No. CKR_TEMPLATE_INCOMPLETE means that some attribute REQUIRED by the
On 2009-12-25 08:28 PST, Konstantin Andreev wrote:
On Wen, 03 Jun 2009, Nelson B Bolyard wrote:
Finally, I will add that (IINM) Thunderbird 3 has support for AES.
I don't know about the SHA1 vs SHA2 issue.
No, it hasn't, TB hardcodes SHA1. No variations:
( begin cite
Dear readers of dev-tech-crypto (and others BCC'ed):
For over 13 years now I've been employed to work full time as a developer
of NSS and NSPR, but beginning in January 2010, I shall have a new job
where NSS is not part of my job description.
Consequently, I will have very much less time per
On 2009-12-17 15:39 PST, Nelson B Bolyard wrote:
On 2009-12-17 13:39 PST, Konstantin Andreev wrote:
Hmm... interesting. Do I understand right, arena marks are like
transaction boundaries for memory allocations ? May I consider the
equivalence:
PORT_ArenaMark~~ begin transaction
On 2009-12-16 03:01 PST, Konstantin Andreev wrote:
I see NSS code uses SECITEM_AllocItem() and PORT_Arena{,Z}Alloc() memory
allocation routines almost interchangeably.
Yes, almost.
I see that SECITEM_AllocItem(), basically, just wraps PORT_ArenaZAlloc()
into the arena mark brackets:
I
On 2009-12-16 13:07 PST, Kai Chan wrote:
Is it possible to generate attribute certificates, as specified in RFC
3281, in NSS?
NSS's ASN.1 encoder and decoders are quite capable of encoding and decoding
them, but no templates have yet been created that correspond to the
sequences defined in
On 2009-12-17 13:39 PST, Konstantin Andreev wrote:
Hello, Nelson.
Thank you for your response.
On Tue, 17 Dec 2009, Nelson B Bolyard wrote:
The use of arena pool marks is merely necessary to ensure proper
cleanup in the rare case where the first of those two allocations
succeeds
On 2009-12-10 03:53 PST, Konstantin Andreev wrote:
On Thu, 10 Dec 2009, Lv, Zhiyuan wrote:
I am planning to use the HASH_HashBuf (HASH_AlgSHA256...) in my own
library for SHA256 computing. Currently I encountered an initialization
issue.. Could someone kindly give me some suggestions? Thanks
On 2009-12-04 00:49 PST, Stefan Jordanov wrote:
On 24 Ноем, 17:49, Stefan Jordanov stefanste...@gmail.com wrote:
As as say Firefix certificate window I mean Firefox certificate
viewer.
Best regards,
Stefan Jordanov
On 24 îÏÅÍ, 17:45, Stefan Jordanov stefanste...@gmail.com wrote:
Hello
On 2009-11-30 00:41 PST, ivanatora wrote:
Hello, My goal is to get user signed into my site with a client login
certificate. Some sites like OpenID or cacert.org do it, so it must be
possible :)
Yes.
First I tried to generate the client certificate at the server side
(generate CSR, sign
On 2009-11-30 20:26 PST, Eddy Nigg wrote:
On 11/30/2009 11:47 PM, Kyle Hamilton:
Twitter was breached. Before they disabled renegotiation on their
servers, the status message POST update was POST [...], and then their
Basic-encoded username and password. Someone injected prior bytes
before
On 2009-11-30 19:18 PST, Ian G wrote:
Good article!
Thanks.
On 01/12/2009 01:38, Nelson B Bolyard wrote:
There are two schools of thought about the vulnerabilities related to
the use of renegotiation in SSL 3.x (including TLS 1.x). Briefly, they
are: a) It's SSL/TLS's fault, a failure
On 2009-11-24 13:00 PST, Marc Kaeser wrote:
Are there unpersistant keys in a token? I'll also look for that point in
the specs.
Yes, in the PKCS#11 model, *ALL* objects (key objects, cert objects, etc.)
live in tokens. All crypto engines live in tokens, too, at least conceptually.
Some
On 2009-11-23 01:15 PST, Maciej Bliziński wrote:
I guess the main need for changes are the nss-config and nss.pc files,
since other software packages require them to build. I've seen that
Linux distributions create those files downstream. Is there any
chance for upstream nss-config and
On 2009-11-22 04:44 PST, Maciej Bliziński wrote:
Hello dev-tech-crypto,
I'm working on a Solaris NSS package for the OpenCSW[1] project. I'm
compiling it using Sun Studio 11, on standard OpenCSW buildfarm. I'm
using the standard OpenCSW build system, GAR. The source code of the
build
On 2009-11-21 10:46 PST, Ian G wrote:
Hi Nelson,
On 20/11/2009 20:57, Nelson B Bolyard wrote:
On 2009-11-19 08:24 PST, Daniel Joscak wrote:
Why correct authority key identifier (AKI) can not include both the key
ID and the issuer's issuer name and serial number. We have an authority
On 2009-11-19 05:30 PST, David Stutzman wrote:
In comment 11 of 433105, Bob R said: NSS can open more than one
database at once, it might be good to see if you can specify opening
more than one in the secmod.db file. Is it actually possible to
specify more than 1 softoken using modutil?
On 2009-11-20 00:24 PST, serval wrote:
I need add my certificate into certdb with token Builtin Object Token
The builtin object token is a separate token from the token that holds the
cert DB. You can add your cert into the cert DB, or into the builtin object
token, or into both. See the
On 2009-11-20 10:56 PST, Kai Chan wrote:
Thanks for the clarification. So, by calling CERT_GetDefaultCertDB(), I
get a handle to some type of pseudo-certificate database when
initializing with NSS_NoDB_Init?
Yes. You get a handle to a pseudo cert DB (actually, a trust domain)
regardless of
On 2009-11-19 10:17 PST, Kai Chan wrote:
I'm using NSS 3.12.4 with NSPR 4.8 release. I want to generate keys and
certs with the basic supported ECC curves (nistp256, nistp384, nistp521)
included when NSS is compiled with the NSS_ENABLE_ECC flag. However,
when I try using certutil to
On 2009-11-19 13:07 PST, Kai Chan wrote:
Ah, noobtastic...
A new word for my vocabulary! :)
Thank you for reminding me to check shared library dependencies.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
On 2009-11-18 05:43 PST, David Stutzman wrote:
I've recently had a case where I have a DB with around 6700 certs/keys in
it and a call to get the list of certs takes something like 20 minutes to
complete.
If you're using cert7/key3 DB files, that's a known bug, and probably
cannot be fixed.
On 2009-11-08 10:32 PDT, Marc Kaeser wrote:
Hello Robert,
where can I get in touch with the NSS people you told me about?
Here in this mailing list (or newsgroup, depending on how you read it).
I'm facing following problem right now, maybe you can help me:
in
On 2009-10-30 13:11 PDT, Kroehnert, Andreas wrote:
is there anything else you (or the team) needs to know in order to
investigate this further? Also as said, if a HSM is an issue, we will be
more than happy to provide the necessary ressources.
If you add comments to bug 374247 about your
On 2009-10-22 12:09 PDT, Ambroz Bizjak wrote:
On Oct 22, 7:22 pm, Nelson B Bolyard nel...@bolyard.me wrote:
What kind of system? What CPU? What clock speed? What memory speed?
Are you doing client authentication with a client certificate?
Are you using Diffie-Hellman Ephemeral cipher suites
On 2009-10-22 05:50 PDT, Ambroz Bizjak wrote:
Hi,
I'm using NSS in non-blocking mode. To perform a handshake on a SSL
socket, I use SSL_ForceHandshake (if it returns PR_WOULD_BLOCK_ERROR I
retry when the SSL socket becomes readable). It works, but I've
noticed that SSL_ForceHandshake
On 2009-10-14 01:33 PDT, Neil wrote:
Nelson Bolyard wrote:
I'll add these thoughts. I don't know of any way to log in to a
token that has no password. IINM, such a token just comes up in a
state that is similar to being already logged in. It's not surprising
to me that forcefully logging
You probably know by now that Thawte has announced an end to its free
email certificate service.
http://www.h-online.com/security/Thawte-discontinues-Web-of-Trust-for-free-SSL-certificates--/news/114447
https://siteseal.thawte.com/support/index.html?page=contentid=SO12658
This has caused many
On 2009-10-14 11:37 PDT, Honza Bambas wrote:
Nelson B Bolyard wrote:
By the way, I REALLY REALLY wish that the password manager would use that
when you click the button to reveal the passwords, instead of doing what
it does now, which forces you to re-enter the master password, even
On 2009-10-14 05:27 PDT, star_ni...@my-deja.com wrote:
Nelson,
Thank you for your response.
The module is an access manager Apache agent module from Sun
(libamapc2). This gets loaded when Apache starts and handles handles
authentication of AM protected applications.
You are correct
On 2009-10-07 13:33 PDT, Eddy Nigg wrote:
And in the absence of
that trust, checking a cert for revocation is pretty tough. :)
Check it out. If the root is trusted and the client cert has an OCSP AIA
URI it checks.
Given that Firefox trusts NO roots for issuing client certs, Firefox
On 2009-10-05 02:20 PDT, Konstantin Andreev wrote:
Hello.
I need to decode some DER-encoded ASN1 CHOICE, but I can't manage this in
a reasonable way.
FYI, the documentation on NSS's ASN.1 encoder and its two decoders is at
http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn1.html
On 2009-10-04 13:37 PDT, Eddy Nigg wrote:
On 10/04/2009 09:23 PM, Nelson B Bolyard:
On 2009-10-03 15:52 PDT, Jereme Bulzor wrote:
I've enabled client authentication in Sun One Web Server 6.1 and it does
work fine when the client certificate is valid.
I would like to present the user
101 - 200 of 878 matches
Mail list logo