On Wed, Apr 4, 2012 at 12:47 PM, Anders Rundgren <anders.rundg...@telia.com> wrote: > > Mozilla should IMO rather hook into the > other vendors cryptographic solution, possibly at the expense of NSS. > > According to a [colleage] of mine Chrome even use the platform's SSL > implementation! Well, not in *NIX since there is no such thing...
Yes, early versions of Chrome used the platform's SSL implementation. That strategy became restrictive when we needed the server name indication extension support but it isn't available by the SChannel library on Windows XP. Today Chrome uses the SSL implementation from NSS, but still uses the platform's certificate and key store and the platform's certificate verification function. On Linux Chrome uses the NSS sqlite certificate and key databases in $HOME/.pki/nssdb, as proposed in https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX. Using the platform's certificate and key store has worked well in general. There are some minor problems due to uneven support of features across versions of the platform. For example, ECC certificates are not supported on Windows XP, and SHA-256 certificate support on Windows XP requires service pack 3. As for hooking into other vendors cryptographic solution -- in my biased opinion, although some OS vendors cryptographic solutions are indeed better than NSS, NSS is still better than others. My current recommendation is to only use the platform certificate and key store (and the trusted root certificate list, if appropriate for your product). This may require using the OS vendors cryptographic library for private key operations because private keys cannot be extracted from the platform key store in general. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
