Julien R Pierre - Sun Microsystems wrote: > Michael, > > Michael Ströder wrote: >> Wan-Teh Chang wrote: >>> Most NSS-based server applications open the NSS databases in >>> read-only mode, so they can run with multiple processes safely. But >>> client applications such as Firefox and Thunderbird open the NSS >>> databases in read-write mode. >> According to what Nelson said, cmsutil also opens in read-write mode >> which would IMHO not be necessary. > > The reason cmsutil does that is probably so that it can import recipient > certs found in PKCS#7 / S/MIME messages into the certificate database. > This could probably be changed or parameterized if one does not desire > that behavior. > > There are other tools that initialize read-write, such as of course > certutil, crlutil, pk12util, all of which have functions to write or > delete objects in the database .
It would probably make sense for them to use read-only mode when they're not actually being used to modify the database. Sounds like we need to write an LDAP-based PKCS#11 module; with ldapi access it would be reasonably efficient and it would also solve a lot of certificate sharing/distribution issues. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
