Re: Shared system database

Thu, 26 Jul 2012 14:14:10 -0700 

On 07/25/2012 03:02 AM, David Woodhouse wrote:

O³.

So what I actually want is
  - To fix the API to the NSS system database so it isn't insane.
Do you have any suggestions on how the API would be changes. One thing I'm always fighting is providing an API for apps without breaking existing apps.
One idea might be to just for the use of NSS system DB under the covers. We can control this from some sort of outside control (like an environment variable). There is an issue about what the default should be (on or off). Since NSS can open more than one database, we can open the database the user requested as well. This would also mean apps will start using the NSS system DB without requiring applications to change.
You may be thinking in a different direction, I would be interested in hearing your ideas. 
  - To fix Firefox, Thunderbird and the NSS samples to use it correctly.
Legacy is what has been holding FF and TB back. It would be relatively easy to get FF or TB to use the sqlite database. It's been a real bear trying to get anyone to work on doing database migration. 
  - To go on a bombing run across all other NSS-using applications to
    fix those too (I've done Evolution already, but it'll need fixing
    once the API is made saner and it doesn't need to go grubbing around
    in /etc/pki/nssdb/pkcs11.txt to work out what DB path to open.
  - To make the 'combined' system and user trust databases (two slots
    in the same token)
I'm not sure about your terminology here. Slots are locations for tokens to be plugged into (mapping to the PKCS #11 slots, which usually refer to physical readers). Do you mean 2 slots in the same module? 
  usable when you load nssoftokn.so as a PKCS#11
    module from *another* crypto library (like GnuTLS/OpenSSL), and to
    make those use the trust information from it.



  - To ship a variant of Debian's update-ca-certificates which manages
    trusted CAs *within* the database in /etc/pki/nssdb/ instead of just
    in a flat file elsewhere.





-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to