Re: PKCS#11 Module for TPM availiable

On 2009-07-07 00:33 PDT, Anders Rundgren wrote: > The naked truth is that provisioning of TPMs is not supported by > any generally established protocols or APIs (at least using TPM methods), > but this is also a fact for smart cards since there is no way you > can policy-define/set PIN-codes using

Re: PKCS#11 Module for TPM availiable

On 2009-07-06 07:41 PDT, Martin Schneider wrote: > I want to use certificates which according private key is protected > inside a Trusted Platform Module and use these Certificates for client > side authentication towards a web based service running on an Apache. > > As far as I understand, there

Re: Problem reading certificate from hardware token

On 2009-07-04 04:31 PDT, Eddy Nigg wrote: > On 07/04/2009 02:20 PM, Anders Rundgren: >>> It's not a good idea to place the CA certificate on the token because >> I think it is Firefox that's confusing. > > Sure, it's a bug. If the CA root is trusted in the "software security > device", its trust

Re: Moving browser PKI forward (Re: Problem reading certificate from hardware token)

On 2009-07-05 05:57 PDT, Martin Paljak wrote: > The problem is that an average users thinks like this: "password is > something like 'topsecret123', PIN code is something like '1234', I'm > asked for a password, let me see, which passwords I know that I might > type here..." More experienced

Re: Moving browser PKI forward (Re: Problem reading certificate from hardware token)

On 2009-07-04 04:19 PDT, Ian G wrote: > Some remarks. > > On 4/7/09 12:18, Martin Paljak wrote: > >> Firefox displays a "Please enter password for ..." dialog, which is >> ambiguous for casual users who need to be said very clearly when they >> need to enter the PIN of 4 or more digits. Right now

Re: Moving browser PKI forward (Re: Problem reading certificate from hardware token)

Martin, I want to read your full message and respond fully later this weekend, but right now I just want to try to clarify a couple things. >>> FYI, to make sense to users of eID cards currently one has to embed >>> the word PIN into the token description as well, so that the prompt >>> that Firef

Re: Problem reading certificate from hardware token

On 2009-07-03 04:33 PDT, Udo Puetz wrote: > What we've found out now is this: there is no CA certificate on the > token. And it seems that firefox needs the CA and the user certificate > from the same place: I don't believe it is true that Firefox requires both to be in the same token. > If I im

Re: Moving browser PKI forward (Re: Problem reading certificate from hardware token)

On 2009-07-03 05:29 PDT, Ian G wrote: > We desperately need some form of whitelisting in Firefox so that each site > always gets presented the same cert. If browsers can remember cookies > and username/passwords, then they can remember cert/domain combinations. This goes double for Thunderbird

Re: Moving browser PKI forward (Re: Problem reading certificate from hardware token)

On 2009-07-03 00:30 PDT, Martin Paljak wrote: > Some constructive suggestions; mostly for Firefox: > > 1. Use platform API-s where appropriate: cryptoapi (and basecsp via > this) on windows; cdsa/keychain on macosx. Regardless of who does it, this triples/quadruples the amount of work to be d

Re: client certificate JSS keystore

On 2009-07-03 10:52 PDT, Dmitriy Varnavskiy wrote: > I have run several tests of JSS on Linux - they all worked fine so seems > JSS is correctly installed. But when I am launching my app java for some > reason is not using certificates in firefox keystore. Thanks for being patient. Our JSS expert

Re: W3C Terminates XHTML2

On 2009-07-03 08:39 PDT, Anders Rundgren wrote: > This demonstrates that standardization is an option but an increasingly > difficult option as well in an ever faster-moving world: > http://www.w3.org/2009/06/xhtml-faq.html Does it? It appears to me that this is the standards body pruning the tre

Re: Problem reading certificate from hardware token

On 2009-07-02 12:17 PDT, Anders Rundgren wrote: > If you want to use Hardware tokens, PKCS #11, and Firefox you > either must be nuts, a masochist, very smart, or highly committed. > > For ordinary users it makes little sense. > > Hardware tokens: there are any number of different types > PKCS #1

Re: Problem reading certificate from hardware token

On 2009-07-02 02:58 PDT, Udo Puetz wrote: > I want to authenticate against a juniper SA 2500 firewall with a user and > password AND a certificate. > I have a safenet iKey 1032 token where I imported the p12 certificate. > In firefox (tried 2.0.x, 3.0.x and 3.5.x) I imported the safenet > K1PK112

Re: S/MIME in Thunderbird

On 2009-06-30 07:39 PDT, Jean-Marc Desperrier wrote: > Nelson B Bolyard wrote: >>> Does this assume LDAP for acquiring the certificate without a signed >>>> S/MIME message? (So it is only relevant in corporate setting?) > >> No. There are many ways to get

Re: client certificate JSS keystore

On 2009-06-26 04:13 PDT, Dmitriy Varnavskiy wrote: > I am deploying javaws application that uses client certificate for > authentication. It is starting with jnlp ref from web page that also uses > client certificate. So, nedeed certificate presents in browser on client > machine. For application

Re: Unable to add softokn3.dll to secmod.db

On 2009-06-25 18:25 PDT, Sudarshan Gaikaiwari wrote: > I am trying to configure NSS on a Windows 2003 machine to work as a JCE > provider under Java 6 in the FIPS mode. I am using the instructions > http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#NSS > > However I am unab

Re: clarifications on TLS extension "Certificate Status Request"

On 2009-06-22 12:05 PDT, Nagendra Modadugu wrote: > I am currently implementing the "Certificate Status Request" extension > (RFC4366) for NSS. The primary use of this implementation will be > OCSP verification of certificates presented by SSL websites. > > For the general Internet context, I am

Re: S/MIME in Thunderbird

On 2009-06-21 03:24 PDT, Ian G wrote: > On 19/6/09 15:36, Jean-Marc Desperrier wrote: >> Nelson B Bolyard wrote: >>> if you send an encrypted message to someone from whom you have never >>> received a signed S/MIME message, you will use weak encryption. > > Does t

Re: Firefox3.5 support for NSS version

Hanseong Ryu wrote: Do Firefox3.5 support for NSS version like NSS 3.xx.x in detail ? I believe your question is: What version of NSS is found in Firefox 3.5 (in the current release candidate)? The answer is found here: http://mxr.mozilla.org/mozilla1.9.1/source/security/nss/lib/nss/nss.h#6

Re: Does NSS support non-blocking sockets?

I wrote: > SSL_ForceHandshake is like a PR_Read or PR_Write call except that it > transfers to data. make that "transfers NO data." -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Does NSS support non-blocking sockets?

On 2009-06-19 15:01 PDT, Rich Megginson wrote: > Nelson B Bolyard wrote: >> On 2009-06-19 12:48 PDT, Rich Megginson wrote: > Yes. This is an implementation of a PRIOMethods stack. So what I mean > is "this is the function that implements the PR_Recv functionality for &g

Re: Does NSS support non-blocking sockets?

On 2009-06-19 12:48 PDT, Rich Megginson wrote: > Does NSS support non-blocking sockets? Yes. > I'm running into a problem while using NSS with non-blocking sockets. I > have my own PR_Recv function that does something like this: Although you called it a "PR_Recv" function, I gather that it i

Re: referral links to developer.mozilla.org

On 2009-06-17 03:44 PDT, Gervase Markham wrote: > On 15/06/09 18:18, Glen Beasley wrote: >> I can do the same for the NSS and NSPR? > > The wisest thing to do would be to complete the migration and then put a > redirect in place. Is anyone actively working on migrating the remaining > content?

Re: SHA-1 collisions now 2^52

On 2009-04-30 15:49 PDT, I wrote: > SHA-1 has taken a significant hit. See > > http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf That URL was for a set of 4 slides that were presented at a conference. They didn't reveal much detail. Now, the paper revealing the details has b

Re: NSS, AIA, Bridge

On 2009-06-05 03:16 PDT, Néric wrote: > > Hi Nelson, > > First of all, thank you very much for your time and for the quality > answers. I’ve understood everything except but one thing: > Did you really mean that I could have 2 versions of NSS on my computer? > One for Debian and one specific to M

Re: NSS, AIA, Bridge

On 2009-06-04 02:23 PDT, Néric wrote: > Context: > > I am working on PKI cross certification using a PKI bridge. > To fetch missing certificates, I use the following AIA certificate > extension: > > CA Issuer: URI : http://_...@ftp_server__/.../bundle.p7c > > where bundle.p7c contains the missin

Re: When can we call SSL_PeerCertificate?

On 2009-06-04 16:55 PDT, Wan-Teh Chang wrote: > On Thu, Jun 4, 2009 at 1:15 PM, Nelson B Bolyard > wrote: >> There is a similar function for suspending and restarting the SSL >> handshake processing at another point where there may be long delays, >> namely, when the use

Re: When can we call SSL_PeerCertificate?

On 2009-06-03 19:16 PDT, Wan-Teh Chang wrote: >> That means that you always put the cert and its chain into the client's >> cache, and cache the negotiated SSL session, where it will be restarted >> by future attempts to connect to the same host/port. This seems >> inadvisable. > > Yes, that's a

Re: When can we call SSL_PeerCertificate?

On 2009-06-02 11:17 PDT, Wan-Teh Chang wrote: > This message is long. Please bear with me. A mere 73 lines. :) > On 2008-12-18, Dan Kegel reported in this thread that we can't call > SSL_PeerCertificate after the bad-certificate callback function returns > because the peer certificate has been

Re: S/MIME in Thunderbird

On 2009-06-01 12:07 PDT, Andrew Manore wrote: > I'm not able to see what encryption algorithms Thunderbird 2.0.x is > using. From what I've been able to tell (through downloading the > encrypted message into Microsoft Outlook), Thunderbird is using 3DES > encryption with SHA-1 hashes. Thunderbi

Re: issue with a lot of certificates and keys in DB

On 2009-06-03 07:02 PDT, David Stutzman wrote: > I have a DB that has just shy of 7000 keys/certs in it. From the > command line using certutil -L takes ~5 mins or so and then finally > starts showing output all at once after the delay. It ends up using > 80-90MB of ram (according to task manag

Re: KEYGEN tag - documentation

On 2009-05-31 07:17 PDT, Jan Schejbal wrote: > I was playing around with the html tag, but I did not find any > documentation on how the generated keys can be accessed. key3.db is > growing, so the keys are probably saved, but is there some UI to > view/manage/export/delete such keys in Firefox

Re: Roots that are identical except for signature algorithm and serial number

On 2009-05-29 09:22 PDT, Rick Andrews wrote: > On May 28, 3:12 pm, Nelson B Bolyard wrote: >> On 2009-05-28 10:52 PDT, Kathleen Wilson wrote: >> >>> Just to make sure I understand… >>> In the VeriSign case the MD2 roots expire on 2028-08-01, and the SHA1 >&

Re: how to sign CRMF/SPKAC using openssl

On 2009-05-28 21:51 PDT, tito wrote: > I am making a CA site for my college project purpose.I learned that > different browsers use different methods to generate CSR.Making CSR in > IE was easy.For vista systems I used CertEnroll.dll methods and for > non-vista IE i used xenroll.dll.I generated CS

Re: Roots that are identical except for signature algorithm and serial number

On 2009-05-28 13:09 PDT, Frank Hecker wrote: > Nelson B Bolyard wrote: >> An SSL server that sends out a full chain with a SHA256 root could >> conceivably cause a problem for a remote SSL client that does not understand >> SHA256 signatures and that chooses to check the sign

Re: Roots that are identical except for signature algorithm and serial number

On 2009-05-28 10:52 PDT, Kathleen Wilson wrote: > Just to make sure I understand… > > In the VeriSign case the MD2 roots expire on 2028-08-01, and the SHA1 > roots expire on 2028-08-02, so the SHA1 roots would take precedence in > NSS. Therefore, there is no benefit in keeping the MD2 roots, and

Re: PR_Read fails second time on Solaris 8

Vinu wrote, on 2009-05-27 15:26 PDT: > The server sends the data and then closes the connection(becuase we use HTTP > Connection:close and not Keep-Alive). > > But shouldnt PR_Read return the entire data and then only return 0(becuase > the connection is closed). > How can it return 0, before al

Re: New root certificates and Thunderbird

Rolf Lindemann wrote, On 2009-05-24 09:52 PDT: > Do you know which version of Thunderbird will get the NSS version containing > the new root certificates? No. I would hope that the upcoming Thunderbird 3 release would include them, but I cannot say with any certainty that it will. This might be

Re: Roots that are identical except for signature algorithm and serial number

Rob Stradling wrote, On 2009-05-27 01:35: > Frank, Nelson, just in case it's useful... > I recall that GlobalSign recently refreshed their "GlobalSign Root CA": > https://bugzilla.mozilla.org/show_bug.cgi?id=406794 > > When the new GlobalSign Root CA certificate (which expires in 2028) was added

Re: Roots that are identical except for signature algorithm and serial number

(Sorry for the apparent tardiness of this reply. I wrote it the day that I read Frank's message, and thought I sent it, but evidently did not send it until today.) Frank Hecker wrote, On 2009-05-22 07:24 PDT: > So, just to clarify: I *think* you're proposing that we do the following > in cases w

Re: Pending roots and EV enablements

I'm happy to report that the NSS changes were committed today to the source repository from which FF 3.5 will be built. The changes made it in just "under the wire" (at the last moment). I'm thankful to all the people who helped make that happen. However, It appears that the PSM changes, enablin

Re: Pending roots and EV enablements

Eddy Nigg wrote, On 2009-05-18 18:38 PDT: > I'll create also the missing patch for Cybertrust and/or upon advise a > mega patch of all EV enablements. Errr...please advise :-) Thanks Eddy. I see you've already produced patches for 4 of those 6 bugs. Patches for the remaining two would also be ni

Re: Pending roots and EV enablements

There are 9 NSS bugs requesting new root CA certs and/or changes to trust flags on existing root CA certs in NSS. See them at

Re: Accessing current URI within nsCrypto::importUserCertificates()

Gaurav Aggarwal wrote, On 2009-05-16 15:55: > I want to put some additional checks in nsCrypto::importUserCertificates() > function. For these checks, i want to access the URI of the script that > called this function (originating URI) and the URI of the parent page (host > URI). > > Could any

Re: a minor nit-pick with certutil

kashyap wrote, On 2009-05-15 00:57: > Hi, > > *-W* option(to change password of the key database) is not listed when > we do a certutil -H. > > But the functionality do work fine, if we try to change an existing > password of the nss key database by using > *certutil -W -d /home/user/.mozilla/f

Re: failed to generate key using window.crypto.generateCRMFRequest() method

Subrata Mazumdar wrote, On 2009-05-14 20:53: > I just have another question. According to the source code > (http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c#92) > > signing with EC key is disabled irrespective of underlying security > device. What about if I am using

Re: failed to generate key using window.crypto.generateCRMFRequest() method

Kaspar Brand wrote, On 2009-05-13 22:16: > Subrata Mazumdar wrote: >> As I have said in the earlier message, I have no problem in generating >> EC key-pair. I get error when I try to sign the request using the >> private key. > > Maybe you're falling prey to this bug? > > https://bugzilla.mozil

Re: Finding certificate extension using Object Identifier

Gaurav Aggarwal wrote, On 2009-05-13 20:07 PDT: > I was trying to find a custom extension using its object identifier (in > decimal) : "1, 3, 6, 1, 5, 5, 7, 1, 100". > > It seems to me that only CERT_FindCertExtension() function is public. If you would like to see CERT_FindCertExtensionByOID b

Re: failed to generate key using window.crypto.generateCRMFRequest() method

Subrata Mazumdar wrote, On 2009-05-13 17:58: > Nelson B Bolyard wrote: >> That's strange. Your DSA test code should NOT have worked. I wonder >> how it could have worked, given that you supplied no "params". > According to the source code > (http://mx

Re: Pending roots and EV enablements

Gervase Markham wrote, On 2009-05-13 14:46: > On 11/05/09 20:32, Nelson B Bolyard wrote: >> Ideally, one could tell Tryserver to "Take Firefox source from the current >> branch for FF 3.0.x or FF 3.5 (from CVS or Hg, as appropriate), plus NSS >> from CVS tag X, plus this

Re: failed to generate key using window.crypto.generateCRMFRequest() method

Subrata Mazumdar wrote, On 2009-05-13 06:45 PDT: > The key genartion now works for RSA and DSA key types but it still fails > for EC key type. >>else if (keyType == "dsa") { >>keyGenAlg = "dsa-sign-nonrepudiation"; >>keyParams = null; >>} That's strange. Your DSA test c

Re: Fwd: Has any public CA ever had their certificate revoked?

Frank Hecker wrote, On 2009-05-12 11:32: > Paul Hoffman wrote: >> Peter Gutmann asked on a different mailing list: >> >>> Subject says it all, does anyone know of a public, commercial CA >>> (meaning one baked into a browser or the OS, including any sub-CA's >>> hanging off the roots) ever having

Re: Cache CRL SSL Test is Failing

Glen Beasley wrote, On 2009-05-11 14:01: > John Smith wrote: >> Hi: > >> *Glen*: Wow, you managed to match that bug to my problem, even though >> the test numbers are totally different (as per what Nelson said)! Its >> not terribly important that all tests pass for my purposes, so I think >> I

Re: Pending roots and EV enablements

On May 11, 2009 at 8:44 AM PDT, Eddy Nigg wrote: >> >>> There are quite some roots which should be included and nobody seems >>> to be working on it. Can Nelson or somebody advise if to provide >>> patches for those roots or not? Changes to the built-in root CAs, or the list of EV-enabled CA, inv

Re: After Importing a p12 file, certificate does not show in the certificate list

Kaspar Brand wrote, On 2009-05-07 22:22: > Nelson B Bolyard wrote: >> Please provide a URL for the bugzilla bug that you filed. It was evidently >> filed in a different bugzilla than mozilla.org's. > > It's bug 491698, actually, and NSS's PKCS#12 decoder se

Re: After Importing a p12 file, certificate does not show in the certificate list

Ricardo, Please provide a URL for the bugzilla bug that you filed. It was evidently filed in a different bugzilla than mozilla.org's. > I've just created an application that generates .p12 certificates. I can > import them correctly onto the windows keystore with no problem and all > the extensio

Re: Cache CRL SSL Test is Failing

John Smith wrote, On 2009-05-07 15:00 PDT: > I downloaded the NSS 3.12.3 and NSPR 4.7.4 source code and was running > the provided test suite. However, test #537 (part of "Cache CRL SSL > Client Tests") gets stuck (all previous tests pass according to > results.html), and I have to kill the test

Re: Hacking Firefox

Ian G wrote, On 2009-05-04 13:26: > On 4/5/09 22:04, Nelson Bolyard wrote: >> A very similar hack has already been done. It's a Firefox extension >> that (IIRC) silently installs some roots and shows the green bar for >> (some of) the certs that chain up to those roots. See it at >> https://addo

Re: Importing certificates using certutil

hawkinsconsult...@googlemail.com wrote, On 2009-05-01 00:25: > I am having a problem importing a certificate. I am using the > following commands > /blah/certutil -D -n "s1as" -d . > /blah/certutil -A -n "s1as" -t "u,u,u" -d . -i /tmp/blah.cer > > The problem is that it will not import the certifi

SHA-1 collisions now 2^52

SHA-1 has taken a significant hit. See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: i'm searching "Devstudio Power Plotter"

trapp...@libero.it wrote, On 2009-04-30 01:17: > Hi all, > i'm using Devstudio Power Plotter and this software requires an hardware key. > [...] or does anyone have also a previously version but already cracked? > Thank you very much for your attention! > Nico Nico, Sorry, you won't find any "cra

Re: PKCS#7 Enveloped-data (RFC 2630/3369/3852)

Mathieu Malaterre wrote, On 2009-04-29 13:37: > Hi there, Hi Mathieu, Welcome to dev-tech-crypto. You can expect replies here in 24-48 hours after you post. > I need to encrypt some content in an Enveloped-data content type of > the cryptographic message syntax defined in RFC 2630/3369/3852. > Q

Re: How to export private key using pk12util

I wrote: > The message to users was (and still is), if you want to export your > private key, PKCS#11 is the answer. er. make that #12. Unlike PKCS#8, which for a long time (and maybe still today) implied unencrypted storage of private keys, PKCS#12 has been associated with encrypted storage of p

Re: How to export private key using pk12util

Andriy Zakharchuk wrote, On 2009-04-24 02:39: >>> <0> AAA-update-key >>> <1> BBB-update-key >>> <2> CCC-update-key >> It that literally what you see? Or do you see output with some long >> strings of hexadecimal characters, e.g. >> <0> 0549d7e3a1b3c5d7f89 [...] > Yes, I see symbolic names, no

Re: non-approved PRNG in FIPS mode

ksreedha...@gmail.com wrote, On 2009-04-24 14:04: > Hello, > > I am using NSS 3.11.4 and NSPR 4.6.4 > > Will the non-approved PRNG of NSS be functional/usable when NSS is in > FIPS mode. What "non-approved PRNG of NSS" ? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https:/

Re: How to export private key using pk12util

Andriy Zakharchuk wrote, On 2009-04-23 12:07: > Hello all, > > I have a keys database file (key3.db) and need to export a private key > from it, but can not do this. What version of the NSS utilities are you using? version 3.??.?? > certutil.exe -L -d . > > gives empty output (empty line) and

Re: UTF-8 Hashing

Jean-Marc Desperrier wrote, On 2009-04-22 12:17 PDT: > starryrendezv...@gmail.com wrote: >> hash: function(str,method) { >> [...] str.charCodeAt(i) > > python quite probably outputs the value of str.charCodeAt(i) as some > variant of a UTF-16 value. Or UCS-2 with no handling of surrogates. >

Re: UTF-8 Hashing

starryrendezv...@gmail.com wrote, On 2009-04-22 07:40: > If it helps, here is the code I currently utilize; [snip] I suspect (that is, guess) that your problem is at one of these two places: 1. Perhaps the following code does not pass the UTF8 string you expect it to pass to the hash algorithm.

Re: The element

Martin Thanks for your very informative and useful email. There was a lot of good information in there. It's good to see how PKI and smart cards are being taken up in the world, even if at the present it is limited to a few nations. /Nelson -- dev-tech-crypto mailing list dev-tech-crypto@lists

Re: The element

Martin Paljak wrote, On 2009-04-18 00:51 PDT: > FYI, Apple has made it virtually impossible to use smart cards with > Safari because of *requiring* such configuration on the client side > (host:port configuration for every certificate for every site where > you want to use it). > > With Fir

Re: The element

contains the keygen tag. >> In the future it is also conceivable that such requests is to be made >> for keys stored on smartcards, so a source selector might be an idea, >> perhaps also with the capability to specify specific cards. Yes, and I think FF UI has that. It

Re: How to get logs what should we request when a bug involves crypto

Ludovic Hirlimann wrote, On 2009-04-09 03:05 PDT: > Often we get issue that involve certificates, or crypto errors. Are > there any ways to log what PSM or NSS do the way we can log other > protocols - I haven't found anything in the documentation. Also what > are the obvious things to check a

Re: Generating Entropy.

0x00 wrote, On 2009-04-08 07:45: > I have this so far, which seem to produce a good set of random bytes: > > buffer = ''; > var PRNG = Components.classes['@mozilla.org/security/random-generator; > 1']; > var rg = PRNG.getService(Components.interfaces.nsIRandomGenerator); > randomBytes = rg.gen

Re: CRL update mechanism for mod_nss

dave davesons wrote, On 2009-04-03 06:22 PDT: > If you import an updated version of a CRL in mod_nss and you make use of > the same nickname: > * Is it necessary to restart the web server for mod_nss to take it into > account? > * Does mod_nss still remember the old CRL? Dave, while mod_nss uses

Re: tstclnt with self signed certificate

ksreedha...@gmail.com wrote, On 2009-04-02 21:54: > Hello, > > NSS version 3.11.4 > > If I use the tstclnt with self signed certificate on the server (with > some name in Issuer/Subject common name for Certiificate) > > "tstclnt -h -p -d -v -2 -3 -c > v". It fails with the error "certificate

Re: RSA AES Cipher problem with JSS/NSS

ksreedha...@gmail.com wrote, On 2009-04-01 17:54: > Hello, > > I am [using] Mozilla-JSS as the provider in my Java application which > is a SSL client connecting to OpenSSL based SSL Server. You haven't reported version information, such as: - version of JDK/JRE - version of JSS - version of NSS

Re: Allocator mismatches

Benjamin Smedberg wrote, On 2009-03-30 07:25: > On 3/30/09 4:00 AM, Nelson B Bolyard wrote: > >> On Windows, the JEMalloc code can ONLY be built with the non-free >> "professional" version of Microsoft Visual Studio, and CANNOT be built >> with the free version.

Re: Allocator mismatches

Neil wrote, On 2009-03-30 02:10: > Nelson B Bolyard wrote: > >> Neil wrote, On 2009-03-29 17:01: >> >> >>> Firefox may want to switch to using the jemalloc allocator on the >>> Mac. >>> >>> >> Well, I hope it won't mean fo

Re: Allocator mismatches

Neil wrote, On 2009-03-29 17:01: > Firefox may want to switch to using the jemalloc allocator on the Mac. Well, I hope it won't mean for the Mac what it has meant on Windows. On Windows, the JEMalloc code can ONLY be built with the non-free "professional" version of Microsoft Visual Studio, and

Re: Current algorithm support for Firefox?

albiii wrote, On 2009-03-26 06:07: > When will you support full TLS 1.2 i.e. rfc5246 > http://www.ietf.org/rfc/rfc5246.txt ? > especially P_SHA_256 and enhanced key-exchange ? There is no definite plan of record or schedule for doing that. I would very much like to do that, and also RFC 5430

Re: AIA CA issuers. Re: client certificates unusable?

Eddy Nigg wrote, On 2009-03-23 11:20: > On 03/23/2009 08:13 PM, Nelson B Bolyard: >> Perhaps PSM should have a feature, used at cert import time, that discovers >> that the chain is incomplete and offers, at that time, to go and fetch the >> missing certs in the chain via AIA

Re: client certificates unusable?

Ian G wrote, On 2009-03-22 16:01 PDT: > Man in the Browser. It is a term that seems to have caught on to > describe what happens when the browser is taken over by malware, and it > owns the interface. To solve the security problems that arises in > online banking is more challenging, which is

Re: Summing it up. Re: client certificates unusable?

Eddy Nigg wrote, On 2009-03-23 08:30: > On 03/23/2009 06:29 AM, Nelson B Bolyard: >> 1) When the user downloaded his new email cert in his browser, he didn't >> get the full chain, but only got his own cert. So, he didn't have the >> complete cert chain in his b

Re: AIA CA issuers. Re: client certificates unusable?

Anders Rundgren wrote, On 2009-03-23 08:19: > In theory TLS path-building could be addressed by server-admins. Yes, they could do that in their roles as Subject parties and as Relying parties. I'd definitely recommend the former. The latter may be a good alternative to AIA because it would avoid

Re: Summing it up. Re: client certificates unusable?

Eddy Nigg wrote, On 2009-03-22 14:22: > On 03/22/2009 10:38 PM, Nelson B Bolyard: >> Oh, those poor server admins! > > Wrong! It's those poor users exporting their client certs from Firefox > into Thunderbirdand then they have no clue why they can't sign their

Re: Summing it up. Re: client certificates unusable?

Anders Rundgren wrote, On 2009-03-22 14:20: > Nelson B Bolyard wrote: > >>>> Solution: One solution would be to define signature support as a >>>> browser component. > >> Especially the component you've invented and have been trying to get >

Re: Summing it up. Re: client certificates unusable?

Kyle Hamilton wrote, On 2009-03-22 13:54: > 2009/3/22 Nelson B Bolyard : >> Eddy Nigg wrote, On 2009-03-22 12:51: >>> On 03/22/2009 07:25 PM, Anders Rundgren: >>>> >>>> FF issue: It

Re: PKCS #11. Re: client certificates unusable?

Anders Rundgren wrote, On 2009-03-22 13:34: > I don't think PKCS #11 fills the role as universal crypto system for > the mass market since there is no registry like its competitors have. > Installing Security Devices (including finding out the path to them), > is way beyond what a consumer can do.

Re: Summing it up. Re: client certificates unusable?

Eddy Nigg wrote, On 2009-03-22 12:51: > On 03/22/2009 07:25 PM, Anders Rundgren: >> Solution: One solution would be to define signature support as a >> browser component. Especially the component you've invented and have been trying to get Mozilla to adopt for some time, right? Anders? > Sounds

Re: client certificates unusable?

Kyle Hamilton wrote, On 2009-03-22 04:40: > On Sat, Mar 21, 2009 at 5:57 PM, Nelson B Bolyard > wrote: >> Kyle Hamilton wrote, On 2009-03-21 15:49: >>> On Sat, Mar 21, 2009 at 2:58 PM, Nelson B Bolyard >>> wrote: I blame NSS for choosing not to adhere to certain

Re: client certificates unusable?

Eddy Nigg wrote, On 2009-03-22 02:57: > [...] client certificates AND OpenID are a great combination. We don't > sell it, it's free. > > OpenID is a digital identity and eliminates the need for multiple > usernames across different websites. For authentication at the provider > side we use clien

Re: client certificates unusable?

I wrote: > Here's the TB RFE: https://bugzilla.mozilla.org/show_bug.cgi?id=437683 > BTW, this client auth problem is MUCH MUCH worse for Thunderbird users than > for browser users, because evidently a higher percentage of free email > servers are crap. > > I'll have to dig a bit more for the FF o

Re: client certificates unusable?

Kyle Hamilton wrote, On 2009-03-21 16:51: > On Sat, Mar 21, 2009 at 4:32 PM, Eddy Nigg wrote: >> On 03/22/2009 12:55 AM, Ian G: >>> Hmmm, well, many questions abound: why wasn't it done? where was >>> this discussed? Why didn't client certs just happen? Why are we >>> still using passwords? >>

Re: client certificates unusable?

Ian G wrote, On 2009-03-21 07:00: > After MITB surfaced (and scared the European bankers into action) What is that? Man In The Bank? I suppose you meant MITM, but if not, please clarify. > people in finance circles started to realise that session authentication > was a mistake from the beginnin

Re: client certificates unusable?

Kyle Hamilton wrote, On 2009-03-21 15:49: > On Sat, Mar 21, 2009 at 2:58 PM, Nelson B Bolyard wrote: > I blame NSS for choosing not to adhere to certain aspects of the SSL > 3.0 and TLS 1.0 standards (accepting a ClientCertificateRequest with a > zero-length list of identifiers of ac

Re: client certificates unusable?

Ian G wrote, On 2009-03-21 15:55: > I don't know about these things, but I recognise that badly configured > servers are a pain. The servers I have experienced this with are > Apache. They may be misconfigured, but the sysadms aren't agreeing at > the moment, and talking about the sysadms bei

Re: client certificates unusable?

Eddy Nigg wrote, On 2009-03-21 15:08: > On 03/21/2009 10:43 PM, Nelson B Bolyard: >> The consensus of which you speak is actually a consensus among users of >> those crappy servers that, with those servers, client auth is unusable. >> I am part of that consensus. But I do no

Re: client certificates unusable?

Kyle Hamilton wrote, On 2009-03-21 14:07: > On Sat, Mar 21, 2009 at 1:11 PM, Nelson B Bolyard wrote: >> Kyle Hamilton wrote, On 2009-03-20 02:15: >>> There are many people who think differently; I, for one, think that >>> server-auth is the *worse* part of TLS (bec

Re: client certificates unusable?

Ian G wrote, On 2009-03-21 12:32: > It seems that we have a consensus that client > certificates (in a client authentication role at least) are unusable > with the current system. Approximately, for many reasons. Sorry, I disagree. There are many places (companies, governments) that use client

Re: client certificates unusable?

Kyle Hamilton wrote, On 2009-03-20 02:15: > This is a stupid comment. Then why post it? > There are many people who think differently; I, for one, think that > server-auth is the *worse* part of TLS (because there's no branding of > what CA is responsible for the certification, there's no way to

<    1   2   3   4   5   6   7   8   9   10   >