Dear users of NSS on Linux, we would like to announce a project that we're developing for the Fedora Linux distribution, and invite you to participate in general testing, or to participate in a Fedora test day that will take place on Thursday, March 28.
The intention of the project is to have a single point for CA certificates and trust configuration on a Linux system, which can be consumed by multiple cryptographic toolkits and applications, including, but not limited to, Mozilla Firefox and NSS. As part of the p11-kit open source project, Stef Walter developed a software PKCS#11 module that can act as a compatible replacement for one of the components of NSS, the nssckbi module. While nssckbi contains a static set of CA certificates and trust settings, the new p11-kit-trust module is dynamic. It interacts with a shared system area to dynamically obtain the list root CA certificates and their trust settings. Note the p11-kit-trust module is software project that is separate from Mozilla and separate from NSS. It's an optional component that Linux distributions may decide to ship. The new shared system area, that Linux distributions can use with p11-kit-trust, will be preconfigured with the identical contents as defined by the Mozilla root CA program and as contained in NSS. It can also get updated whenever Mozilla updates the list. However, it can be used to adjust a system's configuration, either to extend, modify or restrict the default trust settings. Because p11-kit-trust will dynamically merge the system specific configuration with the default trust settings, updates to the Mozilla CA list continue to be possible and will be active, unless overriden by system specific rules. In other words, this technology will effectively enable administrators of Linux systems to adjust the root CA list used by Firefox, without having to modify data stored in NSS databases nor in a user's Firefox profile directory, and without having to use the Certificate Manager provided by Firefox. Nevertheless, users of NSS applications such as Firefox will still be able to override or adjust trust settings, which will continue to be stored as user (or Firefox) specific settings. While this technology is being developed separately from Mozilla and NSS, we still believe it's interesting to the Linux users in this group. More details can be found at https://fedoraproject.org/wiki/Features/SharedSystemCertificates which also includes a link to suggested test instructions. We'd like to invite you to join us on March 28 in testing this new feature as part of the current Fedora development cycle, please see https://fedoraproject.org/wiki/Test_Day:2013-03-28_Shared_System_Certificates For general discussions about Mozilla, NSS and this feature, feel free to reply to this message. For questions specific to the Fedora development, it might be best to use the Fedora development list http://lists.fedoraproject.org/mailman/listinfo/devel Thanks and Regards Kai Engert & Stef Walters -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
