Nelson Bolyard wrote: > Here's the problem, Angelo, > > While using CKA_Label as you imagine might seem to be a solution, it > really places onto the user the responsibility to know which cert is > correct to use in any given situation. NSS's approach is to let the > user specify the relevant selection criteria (e.g. what identity, > what type of operation, etc) and have NSS choose the right cert from > among the candidates that meet the relevant selection criteria.
Then why is there a certificate selection dropdown in thunderbird, if the underlying library ignores/re-interprets this selection? > At the present time, NSS's FindUserCertByUsage API uses a set of > pre-defined usages, and that set does not draw a distinction between > temporal sort term signatures and durable long term signatures. > If there is any part of NSS that I would change to try to address your > problem, I think it would be making the pre-defined usages more fine > grained. Is there a relationship to the fixed bug #240456, where CERT_CheckKeyUsage() was patched to 'remove' the distinction between NR-certs and signing certs? Regards, Angelo Rosenfelder _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
