Howard Chu wrote: > Michael Ströder wrote: >> I'd really appreciate if the OpenLDAP client libs could make use of >> client certs I have in my Mozilla profile. > > Don't be so sure; it's not as good as it sounds... Without the new > shared DB support in NSS, this would very likely corrupt your certDBs in > short order. E.g., if you're running the browser (which opens its DBs > with Read/Write access) and then pop over to issue an ldapsearch from > the command line, you'll hose yourself. > > At any rate, I've committed the preliminary code to CVS so you can > tinker with it if you want. It will take a lot more beating on before > it's actually usable. > >>> It means that every user has a complete copy of all of the CA >>> certificates in each of their home directories, which makes certificate >>> management/revocation dicy at best. >> >> Well, the situation of stuffing everything in a directory/file with >> PEM-formatted certs is not better. And every software can have its own >> cert?.db. > > At least filesystems are known to safely support multiple concurrent > access... ;) > >> But the format of the cert?.db is indeed fragile since it's not clear >> which NSS version works with which DB version. I remember a serious >> problem with cert7.db used by a 3rd-party product and different media >> releases of NSS. > > And PEM has been around since 1992 or so, without any real changes. > (Which isn't surprising since it's mostly dead...)
Some Red Hat folks have been working on adding NSS support to OpenLDAP. It's almost ready to go. There should be a patch appearing in OpenLDAP ITS shortly. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
