Proposed F19 Feature: Shared System Certificates
Kai Engert
kaie at kuix.de
Thu Jan 24 16:39:03 UTC 2013
On Thu, 2013-01-24 at 08:27 -0800, Samuel Sieb wrote:
> On 01/23/2013 07:05 AM, Jaroslav Reznik wrote:
> > = Features/SharedSystemCertificates =
> > https://fedoraproject.org/wiki/Features/SharedSystemCertificates
> >
> > Feature owner(s): Kai Engert <kaie at redhat.com>, Stef Walter <stefw at redhat.com>
> >
> > Make NSS, GnuTLS, OpenSSL and Java share a default source for retrieving
> > system certificate anchors and black list information. This is an initial
> > but useful step in the direction of a comprehensive solution.
> >
> Will this finally allow deploying an extra CA system-wide that Mozilla
> products will accept?
Yes, if we achieve the goal to get NSS into using the new pkcs#11
library, instead of the default libnssckbi.so, without requiring
application changes.
We'll have to figure out how to do it. Possibly by
changing /usr/lib64/libnssckbi.so to be a symbolic link
to /etc/alternatives - which can then either point to a classic NSS lib
- or, if our new infrastructure is active - point to the new pkcs#11
replacement.
I'm not yet sure whether we would continue to ship both alternatives and
use the above system of symbolic links - or whether the new
dynamical-contents library would become a mandatory install right away -
together with a change to stop shipping the classic static-contents
library.
Kai
More information about the devel
mailing list