Re: pk12util: Wrong certificate names in database

Tue, 28 Jul 2015 01:03:07 -0700 

On Tue, 2015-07-28 at 09:43 +0200, Trick, Daniel wrote:
> David, can you elaborate on what exactly you mean with "it ought to be 
> using"?

Sorry. English could really do with two separate words where we
currently just use 'ought to'.

One for 'in an ideal world it would be fixed to' and another for 'I
expect it to, and don't know why it isn't for you'.

In this case I meant the former :)

PKCS#11 URIs are relatively new — draft-pechanec-pkcs11uri-00 was first
published in 2010, and RFC7501 only in April of this year.

NSS doesn't support them at all yet. At some point I'm planning to
write some search functions which will look up objects by their URI,
and generate URIs to match existing NSS objects. But I haven't got
round to it yet.

> Do you mean that current Thunderbird should be using a PKCS#11 URI in 
> the "prefs.js" file, but doesn't do so for some reason (bug)?
> 
> Or do you mean it actually will be using a PKCS#11 URI /under certain 
> circumstances/, but uses a Nickname otherwise? If so, what would be the 
> circumstances under which it uses the PKCS#11 URI? And can we *always* 
> write a PKCS#11 URI into the "prefs.js" file, in order to make sure that 
> the proper certificate gets selected in call cases? If so, would you 
> mind sharing an example how this would look like?

In the archives a little while back, there was some discussion of this.
I think I suggested that the functions for looking up certs by nickname
could automatically DTRT if presented with a string which is a PKCS#11
URI. This was not met with approval.

My proposal would have meant that applications such as Thunderbird
would then have Just Worked™ if you put a PKCS#11 URI into their config
files. But as things stand, I think we'd actually have to patch *each*
application to use a different lookup function. They'll almost
certainly do precisely the same thing that was apparently undesirable
for NSS to do for itself — if it's a valid PKCS#11 URI then look it up
as one, else treat it as a nickname and look it up that way.

-- 
David Woodhouse                            Open Source Technology Centre
david.woodho...@intel.com                              Intel Corporation

Attachment: smime.p7s
Description: S/MIME cryptographic signature

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to