Howard Chu wrote: > Nelson B Bolyard wrote: >> Howard Chu wrote, On 2008-08-10 03:30: >> When one considers all the important reasons to choose a crypto >> implementation, support for one file format which is not used in any >> standard protocols (e.g. TLS, SMIME) doesn't seem like a biggie. > > The issue isn't about a specific file format, it's about overall > usability. Ignoring the issue of hiding things in a fragile DB the > problem is that it's a one-shot monolithic configuration.
Frankly dealing with "PEM" files is not optimal too regarding marking certs as trusted. The cert?.db files and certutil make it possible to clearly mark certs as trusted. That's especially useful when looking at the client side. Also AFAIK there's no software providing a certificate enrollment with client-side key generation which works with PEM files. I'd really appreciate if the OpenLDAP client libs could make use of client certs I have in my Mozilla profile. > It means that every user has a complete copy of all of the CA > certificates in each of their home directories, which makes certificate > management/revocation dicy at best. Well, the situation of stuffing everything in a directory/file with PEM-formatted certs is not better. And every software can have its own cert?.db. But the format of the cert?.db is indeed fragile since it's not clear which NSS version works with which DB version. I remember a serious problem with cert7.db used by a 3rd-party product and different media releases of NSS. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
