On 08/17/2011 08:23 PM, Sean Leonard wrote: > Is there a way to determine whether the NSS DB(s) are in V8 (aka > sdb->sdb_type = SDB_LEGACY) versus in V9 (aka sdb->sdb_type = SDB_SQL) > mode? Unfortunately, I don't believe that is surfaced at the 'slot' level. > > I am doing some research into setting certificate nicknames. The > legacy DB (aka 'the DB that everybody uses because it is the default > and it is very complicated/unintuitive for people to change even > though it is not as good') Ah, the joys of protecting ABI's;). Of course the complication isn't in using 'sql:' rather than 'dbm:', it's the complication of moving from 'sql:' to 'dbm:' that's holding people back. > has some weirdness with setting--or not setting--certificate nicknames. Let me guess.... The certificates in question have the same Subject? There's a very strong association in NSS between nickname and subject --- much stronger than nickname and certificate. The old database format attaches nicknames to subject records, so if you import a new certificate with the same subject, but a different nickname than the one that already exists, it uses the new > This 'weirdness' does not seem to affect the V9 sqlite DB. The V9 DB stores records as PKCS #11 attributes, so things like nicknames are stored independently as labels. NOTE: the upper level of NSS will still associate a nickname with *ALL* the certs with a given subject, no matter how it's stored internally, This 'feature' was meant to allow us to deal with user/identity. NSS would pick the appropriate cert (unexpired, signer or key exchange, etc) for that user/identity automatically. This has lead to confusion because people except nickname to match cert, not groups of certs. > > Thanks! -Sean
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
