[Originally sent this to Darren, but forgot to CC PSARC-ext] Hi Darren,
I got forwarded a pointer to this case that you filed. Thanks for taking the time to do this. > http://sac.eng/Archives/CaseLog/arc/PSARC/2009/430/20090811_darren.moffat I would recommend using the certificate directory approach instead of creating a single file with all certificates. The directory allows us to use a single PEM file per-certificate instead of having a huge PEM blob. The single PEM file consumes more memory, since the whole blob gets loaded into memory. If the directory is used, individual keys are loaded into memory instead. Delivering a single blob also has implications for package delivery. If we use a directory, other packages can deliver certs to a common location, if needed. The blob approach blocks multiple party certificate delivery, and requires us to update the entire blob when one certificate changes. It would be more elegant to add/remove the affected files from a certficiate directory. Since I had to solve this problem for pkg(5), I've already written code that can extract the certs from mozilla's nss library, or their CVS server, and then build a directory of certs with corresponding hash-value named symlinks. Feel free to use this code instead of writing more from scratch. Thanks, -j