Re: pk12util: Wrong certificate names in database

Tue, 28 Jul 2015 00:45:08 -0700

David, can you elaborate on what exactly you mean with "it ought to be using"?
Do you mean that current Thunderbird should be using a PKCS#11 URI in the "prefs.js" file, but doesn't do so for some reason (bug)? 


Or do you mean it actually will be using a PKCS#11 URI /under certain 
circumstances/, but uses a Nickname otherwise? If so, what would be the 
circumstances under which it uses the PKCS#11 URI? And can we *always* 
write a PKCS#11 URI into the "prefs.js" file, in order to make sure that 
the proper certificate gets selected in call cases? If so, would you 
mind sharing an example how this would look like?


Thank you,
Daniel


Am 27.07.2015 um 21:55 schrieb David Woodhouse:

On Mon, 2015-07-27 at 18:34 +0200, Trick, Daniel wrote:

Thanks for your reply, Bob!

You said:

When you need fine grain control, the application should use
issuer/serial number to identify the cert (I think all the mozilla
apps have gone to this now)

Well, I agree that it /should/ use the issuer/serial number, which is
supposed to be unique (unlike the nickname). But I don't think that's
the case with the Mozilla apps right now.

I'm using the latest Thunderbird (v38.1) and the certificate selection
box in the "S/MIME" section of the e-mail account configuration dialogue
shows the certificate's nickname /only./

And, even more important, if we look into the "prefs.js" file, where
Thunderbird actually stores which certificate is selected, we see that
it stores /only/ the certificate's nickname!

(It's also the "prefs.js" file that we need to update in order to
configure the user's certificate in an automated way. And currently the
best we can do, AFAIK, is to write the nickname)

These days it probably ought to be using a RFC7512 PKCS#11 URI in a lot
of cases.



--
Daniel Trick, Fraunhofer SIT
Cloud Computing, Identity & Privacy (CIP)
Rheinstr. 75, 64295 Darmstadt, Germany
Tel +49 6151 869-303

mailto:daniel.tr...@sit.fraunhofer.de
http://www.sit.fraunhofer.de/

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to