Nelson B Bolyard wrote:
What is the default cert database location for NSS?

It's application dependent and OS dependent.
There isn't one yet. Until the shared database code went in, each application had to keep its databases separate from other applications. With shared databases, we will be defining a new user location for all applications to share. This will likely still be OS dependent. For Linux, my current thinking is that it would be ~/.pki/nssdb or something similiar.. (actually now is a good time to bring that up...)

Are they suppose to be in /etc/pki/nssdb?

Perhaps some application on some OS has chosen to put NSS DBs there.
That's the "system" location in RH Linux. System tools use that location. As part of crypto consolidation, we will probably encourage applications to open this location read only as well. This will allow sys admins to install new root certs for all users, for instance.
I think that's probably at least a little unfortunate.  I'd expect
each user to have his own DBs, and the DBs would be in some directory
that is owned and writable by that user.

I was also wondering if my application can directly use the db from the
mozilla location mentioned above or it can cause a problem if mozilla db
is updated and the application is running.

Presently, Mozilla apps do not yet use the new sharable SQLite DBs.
They still use the old cert8 and key3 Berkeley DBs.  Those old DBs had
the following rules about sharing:
In general, I wouldn't, unless you turn on the shared DB support. Mozilla apps all open the database read/write by default, which pretty much precludes sharing.
Should the application have its own directory with a copy of these database files in there?

If the application is using the old Berkeley DBs, then yes.

Note that it IS possible to get FF3 to use shareable DBs instead of the
older Berkeley DBs, by setting an environment variable before starting
FF3.  This is not for the faint of heart!  However, AFAIK, it is not
yet possible to get FF3 to open the DBs in any directory other than the
user's "profile" directory (where it puts the existing cert8.db files
now).  So, sharing of DBs between (say) FF3 and TB is not yet feasible,
AFAIK.
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to