On Mon, 2015-05-11 at 11:24 -1000, Brian Smith wrote: > > Said differently, there is nothing special about Linux. Just as Firefox > intentionally doesn't use Windows's central certificate trust database on > Windows, and just as it doesn't use Mac OS X's central certificate trust > database on Mac OS X, it shouldn't use a Linux distro's central certificate > trust database.
I think we can treat the question of *trusted* certificates as an orthogonal issue. If you look at the (incomplete) list of options I posted¹ for how we might make NSS honour the p11-kit-configured list of tokens, I explicitly mentioned the fact that we *don't* want to automatically load the trust roots; only the additional user tokens. NSS applications should get their trust roots, if they want them, from libnssckbi.so. If someone symlinks libnssckbi.so to something else rather than the one that NSS provides... well, that's a different conversation :) -- dwmw2 ¹ http://lists.freedesktop.org/archives/p11-glue/2014-December/000528.html
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
