helpcrypto helpcrypto wrote: > IMHO, this is some that needs some clarification, as Mozilla *IS* > supporting it developing JSS but at the same time saying "we do not > support it",
Some people who are part of the Mozilla project maintain JSS. I will help review patches to JSS if/when the members of the NSS team that want to continue supporting JSS ask me to. That is as much enthusiasm for JSS as you are likely to get from Mozilla employees. > and other options dont work properly due to some bugs > that need to be fixed...or not. Google Chrome works well and is > taking some advantage on this feature (too). Google Chrome is exposing NSS to Java/JSS on Mac OS X? I did not think that Chrome uses the NSS certificate database at all on Mac OS X. > -Does mozilla *WANT* Java use certificates stored on NSS to do > document signning? > -What about Java applets? > -Is mozilla going to *AVOID* Java use certificates, or consider this > as an "undocumented/undesired behaviour"? > -What about Java applets? We already expose window.crypto.signText which supposedly will sign documents using certificates stored in NSS on all *desktop* Firefox versions. This should be accessible from Java via the Java-JS bridge that I know nothing about. > -Supporting this (or document sign with XAdES or any other advanced > systems) is one of mozilla's targets? In Firefox and Thunderbird? No. > -Will patches which fix this issues merged (if correct) in branch, or > will they become marked as WONTFIX? It depends on whether the bug is in JSS, NSS, Gecko, and what exactly the bug is, and how complex the patch is. If you provide more details of what doesn't work, we can discuss whether it is reasonable to try to fix it. > We dont want to rely on "undocumented/undesired" behaviour, and will > like to discuss whats the "official opinion" on this. I cannot tell you an official opinion but I would say that I personally would not bet any money on depending on Java + NSS integration to work reliably in Firefox, because that would be a very low priority for most Gecko developers. > Consider the following example: > Signning a document with XAdES format with a certificate stored > on NSS. > Can it be done? I am not sure. > How should it be done? I am not sure how to solve whatever problems you are having in the short term. In the long term: 1. Write patches that replace the usage of NSS in Firefox with usage of the system certificate store for client certificates. 2. Help specify and develop the DOMCrypt JS API in Firefox, including integration of DOMCrypt with the system certificate store. 3. Rewrite the applet in JS. If you can't, then have your Java application use the JS<->Java API we have to use the DOMCrypt JS API to sign your documents. I noticed that you seem to be considering reading the NSS keyX.db and certX.db files from Java directly. Keep in mind that it is not supported to access these files directly, that these files may change format at any time (e.g. Red Hat would like Firefox and Thunderbird to switch to the SQLite-based format), and that hopefully Firefox and Thunderbird will eventually stop using these NSS certificate databases completely except on Linux. None of those things will happen any time soon, but I expect them all to happen eventually. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
