Howard Chu wrote: > Michael Ströder wrote: >> I'd really appreciate if the OpenLDAP client libs could make use of >> client certs I have in my Mozilla profile. > > Don't be so sure; it's not as good as it sounds... Without the new > shared DB support in NSS, this would very likely corrupt your certDBs in > short order. E.g., if you're running the browser (which opens its DBs > with Read/Write access) and then pop over to issue an ldapsearch from > the command line, you'll hose yourself.
I'm quite aware of that problem (although it did not do any harm with my local installation up to now). But I appreciate that I can sign OpenOffice files just with the cert/key stored in my Mozilla profile. > At any rate, I've committed the preliminary code to CVS so you can > tinker with it if you want. It will take a lot more beating on before > it's actually usable. I've forwarded your message to Rich Megginson since he once expressed the wish to have NSS support in python-ldap. I'm not a C programmer. >>> It means that every user has a complete copy of all of the CA >>> certificates in each of their home directories, which makes certificate >>> management/revocation dicy at best. >> >> Well, the situation of stuffing everything in a directory/file with >> PEM-formatted certs is not better. And every software can have its own >> cert?.db. > > At least filesystems are known to safely support multiple concurrent > access... ;) That's an advantage of ASCII-armored files. But at the moment there is no way to attach meta data to the trusted CA certs. It's always a trust-for-all-purposes. Also the advantage of NSS is that you can add support for Smartcards through a well-defined API (PKCS#11) like e.g. the OpenSC people do. Engine support in OpenSSL is not so common up to now (and not so simple like dealing with PEM files anyway). > And PEM has been around since 1992 or so, without any real changes. > (Which isn't surprising since it's mostly dead...) AFAIK the ASCII-armored files being called in "PEM format" for OpenSSL aren't even PEM files. ;-) Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
