Re: PKCS#11 software token concurrent database access
Robert Relyea wrote: Jean-Marc Desperrier wrote: Robert Relyea wrote: I'm currently running my Firefox and TB against the sqlite3 database. The main impediment to general deployment is Bug 391296. New NSS applications would not have to worry about the issues in Bug 391296. I really think than simply supporting mode 2 (see http://wiki.mozilla.org/NSS_Shared_DB#Database_Upgrade) and not solving bug 391296 is sufficient for Firefox. Quite correct. The purpose of Bug 391296 is support mode 3. Firefox and thunderbird are the poster children for mode 3. The use case I was describing below was the one I saw for someone using certs in both Firefox and Thunderbird. If the need to share cert already existed before the technical possibility, the user had to do it by hand, and will not be under shock to have to do it so at the migration time. If the need was not there before, then there will be no certificate to share *at* the migration time. But actually, what I'm most interested in would be a confirmed list of what blocks activating the use of shared database for Fx 3, and if bug 391296 is in it, so be it. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: PKCS#11 software token concurrent database access
Jean-Marc Desperrier wrote: The use case I was describing below was the one I saw for someone using certs in both Firefox and Thunderbird. If the need to share cert already existed before the technical possibility, the user had to do it by hand, and will not be under shock to have to do it so at the migration time. If the need was not there before, then there will be no certificate to share *at* the migration time. Hey, that makes perfect sense! There is just one thing to make the user somehow aware of the need to migrate the certs manually. Or what happens if he doesn't and realizes only after upgrade that he should have done so? -- Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] Blog: Join the Revolution! http://blog.startcom.org Phone: +1.213.341.0390 ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: PKCS#11 software token concurrent database access
Eddy Nigg (StartCom Ltd.) wrote: Shared DB would be one of the greatest things! So I'm not able to judge if and when it can be done, but looking very much forward to it. Bob, how can I enable this for FF and TB to share the same DB? If you want to start playing with it, try the instructions at http://wiki.mozilla.org/NSS_Shared_DB_Samples I wrote them up when we had the first alpha version of the shared database. I just went in and added a few comments to bring them up to date (you no longer have to specially install the alpha package anymore, for instance, so have the instructions can be ignored). bob smime.p7s Description: S/MIME Cryptographic Signature ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: PKCS#11 software token concurrent database access
Robert Relyea wrote: If you want to start playing with it, try the instructions at http://wiki.mozilla.org/NSS_Shared_DB_Samples I wrote them up when we had the first alpha version of the shared database. I just went in and added a few comments to bring them up to date (you no longer have to specially install the alpha package anymore, for instance, so have the instructions can be ignored). This sounds like fun to me. I hope I'll find the time to play with it. Do you know if a version of TB from the nightly also has the required NSS libs? I'd rather go that route than starting to fiddle with them if possible... -- Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] Blog: Join the Revolution! http://blog.startcom.org Phone: +1.213.341.0390 smime.p7s Description: S/MIME Cryptographic Signature ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: PKCS#11 software token concurrent database access
Jean-Marc Desperrier wrote: Robert Relyea wrote: I'm currently running my Firefox and TB against the sqlite3 database. The main impediment to general deployment is Bug 391296. New NSS applications would not have to worry about the issues in Bug 391296. I really think than simply supporting mode 2 (see http://wiki.mozilla.org/NSS_Shared_DB#Database_Upgrade) and not solving bug 391296 is sufficient for Firefox. Before the support for shared databases, people who had multiple application using non-shared db and a need to share certificates between them had to export them in pkcs#12 and reimport, and do it again each time they got a new certificate. With mode 2, those people have to do it again but only once at the time they do the merging between the db of two application, and never again after that. This is already a big improvement. I do not see the fact it could be done even better if bug 391296 were implemented, not requiring that manual step for the first merge, as a good reason to block that improvement. Shared DB would be one of the greatest things! So I'm not able to judge if and when it can be done, but looking very much forward to it. Bob, how can I enable this for FF and TB to share the same DB? -- Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] Blog: Join the Revolution! http://blog.startcom.org Phone: +1.213.341.0390 ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: PKCS#11 software token concurrent database access
Nelson Bolyard wrote: Joe Orton wrote, On 2008-02-07 00:46: Hi. When using the libsoftokn3.so PKCS#11 provider, is it safe to open a read-only session to a database which is opened read-write by another process (e.g. Firefox)? (By safe, I mean simply that the provider will not crash and burn if Firefox modifies something underneath it) No, the Berkeley database used in all versions of NSS up through NSS 3.11.x and in all versions of FireFox before FireFox 3, is not safe to be used in that manner. With NSS 3.12, which will be used in FireFox 3, it will be possible to configure an application to use a different database, namely sqlite3. It will be safe to share a common database among multiple applications, including read-write applications, with sqlite3. However, as I understand it, FF3 will not use sqlite3 by default. It can be configured, but I'm not sure how. Oh, I thought one of the stated goals of FF3 is to move to sqlite. Apparently there was a change in direction at some point? -- Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] Blog: Join the Revolution! http://blog.startcom.org Phone: +1.213.341.0390 ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: PKCS#11 software token concurrent database access
Joe Orton wrote, On 2008-02-07 00:46: Hi. When using the libsoftokn3.so PKCS#11 provider, is it safe to open a read-only session to a database which is opened read-write by another process (e.g. Firefox)? (By safe, I mean simply that the provider will not crash and burn if Firefox modifies something underneath it) No, the Berkeley database used in all versions of NSS up through NSS 3.11.x and in all versions of FireFox before FireFox 3, is not safe to be used in that manner. With NSS 3.12, which will be used in FireFox 3, it will be possible to configure an application to use a different database, namely sqlite3. It will be safe to share a common database among multiple applications, including read-write applications, with sqlite3. However, as I understand it, FF3 will not use sqlite3 by default. It can be configured, but I'm not sure how. /Nelson ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto