Hi there,
The steps you will need to go through are roughly the following:
* Implement the algorithm itself in freebl
* Write some plumbing to expose the algorithm through the PKCS#11 interface
You can see how this was done for RSA-PSS in these bugs:
I took a hack at the blog post. I kept your outline, but ended up
text-editing a bunch of it. I think it's pretty good now.
On Thu, Jul 31, 2014 at 10:07 PM, Richard Barnes <rbar...@mozilla.com>
wrote:
> Hi all,
>
> We in the Mozilla PKI team have been discussing ways to imp
Sorry, wrong thread. Expect to see a security blog post about revocation
soon, summarizing some recent work :)
On Sat, Nov 21, 2015 at 11:59 AM, Richard Barnes <rbar...@mozilla.com>
wrote:
> I took a hack at the blog post. I kept your outline, but ended up
> text-editing a bun
Sounds like your server is using a weak key :)
Firefox currently requires both RSA and DH keys to be at least 1023 bits
long.
https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/ssl/sslimpl.h#158
The way to permanently fix this problem is to reconfigure the server,
either with
It seems like part of your question is whether it's necessary for the
terminal cert in a chain to have subject==issuer. That is absolutely *not*
the case, at least in NSS. Any certificate can be marked as trusted, in
which case validation will terminate with that cert successfully (or
actively
We do not have a concrete plan to turn off support for 1024-bit keys,
but we are actively working on phasing out support for keys shorter
than 2048 bits. I would *strongly* recommend using a 2048-bit key for
any new certs, and upgrading any existing certs with shorter keys.
Sent from my iPhone.
Hey Rebecca,
Can you send along the certificate chain that the site is presenting?
Thanks,
--Richard
On Thu, Apr 23, 2015 at 4:11 PM, rebecca.c...@gmail.com wrote:
Accessing https site that is used by the entire state of Indiana. My
office is apparently the only office that cannot access the
On Nov 5, 2014, at 3:43 PM, crodenb...@gmail.com wrote:
On Thursday, October 16, 2014 3:04:59 PM UTC-5, treb...@gmail.com wrote:
On Monday, April 7, 2014 6:33:50 PM UTC-4, Kathleen Wilson wrote:
All,
We have been working on a new certificate verification library for
Gecko, and
Hey all,
By now, you've probably heard about the POODLE attacks on SSLv3, and our
decision to disable SSLv3 by default in Firefox 34 [1]. Several people have
proposed that we also make this change in Firefox ESR 31.
So I wanted to propose that we also disable SSLv3 by default in ESR 31 at
a high failure rate, maybe as high as 0.5% (2^-9).
At that rate, a 250KB limit would fit around 220,000 CRL entries. So we would
need to do some experimentation to see how that capacity compares to the size
of CRLs in the wild.
--Richard
On 01/08/14 03:07, Richard Barnes wrote:
Hi all
On Aug 5, 2014, at 1:25 PM, Brian Smith br...@briansmith.org wrote:
On Tue, Aug 5, 2014 at 9:51 AM, mjle...@gmail.com wrote:
Since updating to 31, I have not been able to log into a self signed web
page:
Secure Connection Failed
An error occurred during a connection to taiserver:444.
@lists.mozilla.org]
On Behalf Of Richard Barnes
Sent: Thursday, July 31, 2014 8:08 PM
To: mozilla-dev-security-pol...@lists.mozilla.org;
mozilla-dev-tech-cry...@lists.mozilla.org
Subject: New wiki page on certificate revocation plans
Hi all,
We in the Mozilla PKI team have been
Hi all,
We in the Mozilla PKI team have been discussing ways to improve revocation
checking in our PKI stack, consolidating a bunch of ideas from earlier work
[1][2] and some maybe-new-ish ideas. I've just pressed save on a new wiki
page with our initial plan:
context than gecko?
--Richard
Now I am trying to decrypt key exported by PK11_ExportEncryptedPrivKeyInfo()
with method SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4 directly, which
seems to be the most simple method to decrypt.
於 2014/7/16 上午 01:59, Richard Barnes 提到:
Have you tried
Have you tried exporting with PK11_ExportDERPrivateKeyInfo? That's what
WebCrypto uses to export keys in PKCSD#8 format:
http://dxr.mozilla.org/mozilla-central/source/dom/crypto/CryptoKey.cpp?#333
On Jul 13, 2014, at 10:48 PM, Chuck Lee chu...@mozilla.com wrote:
Hi all,
I am now
15 matches
Mail list logo