> > I also don't like the idea of having invisible orphans in my key store. > Again, there may be no technical reason for wanting to avoid such > things, but it goes against my philosophy and instinct.
Mostly it was a combination of no technical reason to do it with it actually being technically difficult to implement. Presenting keys isn't a problem, doing something with the presented keys is. The main reason is certutil is designed to work with both our internal token and external tokens. Orphanned keys have no nickname. The handle we have on the key is the key's keyID, which can be (usually is) a 20 byte value. That's a little unweildy for a command line tool. Attempts to get around this were buggy and would always break when we adjusted they way some of the layering works in our code. That being said it's probably a reasonable feature request to display more information about keys (I was pretty sure we displayed orphanned keys... they just didn't have any useful data in the display), and maybe ways to purge all orphanned keys. The documentation point should be well taken. While documentation for the command line tools are lower on our priorities than, say, getting the next release of the libraries out (which is our primary focus), the docs shouldn't be neglected. I am presuming you are using the documentation on the mozilla web site, and not some older version that applied to pre-open source versions of the tools. Anyway any updates about which documents are wrong (like the -k flag) is extremely helpful in making them more useful. bob >
