On Wed, 2012-07-25 at 18:03 -0700, Julien Pierre wrote: > It is questionable to me that the trust should actually be shared for > all applications running under the same user.
It's *not* "applications". It's *purposes". So let me rephrase that: it's questionable (in fact, it's definitely *not* the case) that a certificate which is trusted for one purpose should therefore be trusted for *all* purposes. We already have a mechanism for describing which purposes a certificate can be used for. It probably wants extending¹, and in the *meantime* those applications which really need to keep things separate could be given their own storage. So in addition to the simple pair of 'slots' with /etc/pki/nssdb and $HOME/.pki/nssdb that libnsssysinit.so currently gives you, you could have a *third* slot with the application-specific database. That eases the migration path for applications which already *have* their own database, too. > My same concerns would apply to private keys. An application-specific 'third slot' would certainly address that concern. -- dwmw2 ¹ There is already some work which covers this: http://people.collabora.com/~stefw/trust-assertions.html
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
