Chris Hills wrote:
Perhaps there is place for a fork of firefox (perhaps an "enterprise"
version) that uses the windows certificate store and dispenses with the
local certificate store. I understand that support for MSI installation
is already being worked on.
I think it would make much, much more sense to use the OS store for
private keys across all Firefox versions !
This is the strategy followed by Chrome.
In fact, there is code to do that in NSS but I'm afraid it's currently
not really maintained :
Mac OS X version :
http://mxr.mozilla.org/security/source/security/nss/lib/ckfw/nssmkey/
Microsoft CAPI version :
http://mxr.mozilla.org/security/source/security/nss/lib/ckfw/capi/
Until now, I thought Chrome was using that code, but it uses in fact
three separate implementation of it's security and ssl code, for
Windows, Mac OS, Linux, based on the CAPI-schannel/ CSSM-Secure
Transport / NSS stack. As can be seen here :
http://src.chromium.org/viewvc/chrome/branches/official/build_166.1/src/net/base/ssl_client_socket_win.cc
http://src.chromium.org/viewvc/chrome/branches/official/build_166.1/src/net/base/x509_certificate_win.cc
http://src.chromium.org/viewvc/chrome/branches/official/build_166.1/src/net/base/ssl_client_socket_nss.cc
http://src.chromium.org/viewvc/chrome/branches/official/build_166.1/src/net/base/x509_certificate_nss.cc
http://src.chromium.org/viewvc/chrome/branches/official/build_166.1/src/net/base/ssl_client_socket_mac.cc
http://src.chromium.org/viewvc/chrome/branches/official/build_166.1/src/net/base/x509_certificate_mac.cc
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
