On Wed, 2012-07-25 at 08:59 +0200, helpcrypto helpcrypto wrote: > > You are asking for: (paths are just for example purposes) > a) To set up a $HOME/nss to store user certs + trusted by the user > (actually more/less what already have). Doesnt Chrome use something > like that already? > b) To set up a /usr/nss to store system-wide certs and system-trusted > CAs > c) ? > > Are you asking for a? a&b?...
We already *have* A & B¹. A is actually ~/.pki/nssdb and yes, Chrome and other things use it. B is /etc/pki/nssdb, not in /usr, and that exists already too. And if set up right, with an /etc/pki/nssdb/pkcs11.txt, that loads libnsssysinit.so, you do indeed get both. But an application can't *tell* whether to open sql:/etc/pki/nssdb (and trust libnsssysinit.so to load the user's own database), or whether the system database isn't set up and it needs to open sql:$HOME/.pki/nssdb. The only thing it can do is actually *open* /etc/pki/nssdb/pkcs11.txt and check for 'library=libnsssysinit.so' in there. Which is kind of sucky, and almost no applications actually *do* it. Not even Firefox² or Thunderbird. And the NSS samples don't even get it right³. So what I actually want is - To fix the API to the NSS system database so it isn't insane. - To fix Firefox, Thunderbird and the NSS samples to use it correctly. - To go on a bombing run across all other NSS-using applications to fix those too (I've done Evolution already, but it'll need fixing once the API is made saner and it doesn't need to go grubbing around in /etc/pki/nssdb/pkcs11.txt to work out what DB path to open. - To make the 'combined' system and user trust databases (two slots in the same token) usable when you load nssoftokn.so as a PKCS#11 module from *another* crypto library (like GnuTLS/OpenSSL), and to make those use the trust information from it. - To ship a variant of Debian's update-ca-certificates which manages trusted CAs *within* the database in /etc/pki/nssdb/ instead of just in a flat file elsewhere. -- dwmw2 ¹ https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX ² https://bugzilla.mozilla.org/show_bug.cgi?id=449498 ³ https://bugzilla.mozilla.org/show_bug.cgi?id=490238#c37
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
