Anders.
On 7/24/2012 23:33, Anders Rundgren wrote:
Yes. It's an issue I'm actively trying to solve. NSS seems to have made
some *attempt* at solving it... which has some issues, and which doesn't
even seem to have been picked up by Mozilla's own products.
For the record, some Oracle server products such as Oracle Traffic
Director use the NSS shared database.
The main reason for doing so is in order for admin server to be able to
reliably edit the NSS cert/trust/keystore while the server is running.
It still uses application stores. Each server instance can have its own
store. The store is not per-user.
It is questionable to me that the trust should actually be shared for
all applications running under the same user. Certainly in the case of
server apps you may only want specific CAs trusted for client auth for
example. If the trust is per-user, you would be forced to create new
users specifically for running those servers. This is sometimes the way
it's done, but not always. My same concerns would apply to private keys.
I see the most value in unconditionally sharing strictly the public
data, ie. the CA and certs, between all processes and users.
But for trust and keys it really depends more on specific usage cases.
It would sure be nice if Firefox and Thunderbird could share the DBs,
though. I don't believe they were the primary drivers of the NSS shared
database, just one one of them.
Julien
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
