Re: libnss consolidation (was: Re: X.509 and CA certificates for other purposes (i.e. the IGTF))

Le 10 juin 2013 07:06, Florian Weimer f...@deneb.enyo.de a écrit : * Bastien ROUCARIES: Maybe crypto consolidation arround libnss will greatly help here. jessie release goal ? NSS has lots of global state, and its proper initialization from another library is difficult. Could you give

libnss consolidation (was: Re: X.509 and CA certificates for other purposes (i.e. the IGTF))

* Bastien ROUCARIES: Maybe crypto consolidation arround libnss will greatly help here. jessie release goal ? NSS has lots of global state, and its proper initialization from another library is difficult. Switching over to it is probably doable, but it's not really straightforward. On the

Re: libnss consolidation

Brian May br...@microcomaustralia.com.au writes: On 31 May 2013 20:19, Bastien ROUCARIES roucaries.bast...@gmail.com wrote: Gnutls is really crappy about suid see http://lists.debian.org/debian-devel/2010/03/msg00298.html 2+ years later or 2 Debian releases later, I would have hoped these

Re: libnss consolidation (was: X.509 and CA certificates for other purposes (i.e. the IGTF))

On Fri, May 31, 2013 at 4:42 AM, brian m. carlson sand...@crustytoothpaste.net wrote: On Thu, May 30, 2013 at 04:04:47PM +0200, Bastien ROUCARIES wrote: Cons: - not all crypto libraries are equivalent; choosing one will exclude some functionality provided by others SEE compat layer -

Re: libnss consolidation (was: X.509 and CA certificates for other purposes (i.e. the IGTF))

On 31 May 2013 20:19, Bastien ROUCARIES roucaries.bast...@gmail.com wrote: Gnutls is really crappy about suid see http://lists.debian.org/debian-devel/2010/03/msg00298.html 2+ years later or 2 Debian releases later, I would have hoped these issues would be, somehow, magically, fixed by now

Re: libnss consolidation (was: X.509 and CA certificates for other purposes (i.e. the IGTF))

On Fri, May 31, 2013 at 12:19:27PM +0200, Bastien ROUCARIES wrote: On Fri, May 31, 2013 at 4:42 AM, brian m. carlson sand...@crustytoothpaste.net wrote: NSS does not support TLS 1.2. Since RC4 is not used securely in TLS, and the only other choice in TLS 1.1 and earlier is block ciphers

Re: libnss consolidation (was: X.509 and CA certificates for other purposes (i.e. the IGTF))

On 30-05-13 13:16, Bastien ROUCARIES wrote: Using only one lib for crypto (libnss) will allow to use only one trust certificate format 'Allow only one' doesn't immediately strike me as beneficial, but I see what you mean. The discussion is similar to others (such as about which init system to

Re: libnss consolidation (was: X.509 and CA certificates for other purposes (i.e. the IGTF))

Le 30 mai 2013 14:08, Dennis van Dok denni...@nikhef.nl a écrit : On 30-05-13 13:16, Bastien ROUCARIES wrote: Using only one lib for crypto (libnss) will allow to use only one trust certificate format 'Allow only one' doesn't immediately strike me as beneficial, but I see what you mean.

Re: libnss consolidation (was: X.509 and CA certificates for other purposes (i.e. the IGTF))

On Thu, May 30, 2013 at 04:04:47PM +0200, Bastien ROUCARIES wrote: Cons: - not all crypto libraries are equivalent; choosing one will exclude some functionality provided by others SEE compat layer - we somehow have to deal with legacy systems that can't convert - adoption of new