On Fri, 7 Mar 2014 10:55:42 +0100 Raphael Geissert <geiss...@debian.org>
wrote:
> Hi Mike, everyone,
>
> With the recent switch of wheezy-security's iceweasel to using the
> embedded copy of nss I was hit again by some local certificates being
> missing. Sure enough, this is not a new issue and was expected.
>
> However, I'm wondering about using p11-kit's -trust.so provider to
> replace nssckbi, pretty much like described by #704180 but done
> directly by nss. The aim being to finally centralise this in a way
> that is, slightly, more flexible than it currently is.
>
> Now, there are of course some downsides which include losing specific
> usage and trust settings. I'm not too worried about usage settings as
> much as I am for the trust bits. How could we distrust an intermediate
> CA next time if we use p11-kit?
>
> What is your opinion on all this? what other difference between the
> two providers is there that I might be missing?
>
> Thanks in advance.
>
> Cheers,
FTR, is trying to do something similar and use p11-kit for everything:
https://fedoraproject.org/wiki/FedoraCryptoConsolidation
https://fedoraproject.org/wiki/Features/SharedSystemCertificates
