Running NSS as a "Service"

[Anders Rundgren]

After looking into several similar solutions including Gnome Keyring
I wonder if it is not time for NSS transcending into a service rather
than a library running in application context.

Anyway, it seems pretty difficult adding a "trusted GUI" or "application ACL"
support to NSS without a major redesign.

Thoughts?

Anders
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: For discussion: MECAI: Mutually Endorsing CA Infrastructure

[Julien Pierre]

Kai,

On 2/7/2012 12:58, Kai Engert wrote:


That's a reason why I propose vouchers to be IP specific.

In my understanding, each IP will have only a single certificate, 
regardless from where in the world you connect to it.



That's definitely an incorrect assumption to make.
There can be a very large number of different certs on a single port/IP 
combination.
The server name indication extension is one reason - there may be 
different certs for different values of SNI.
Different cipher suites in the ClientHelo message as previously 
mentioned can lead to certs with different KEAs.
Load balancers are yet another reason - you may end up connecting to 
separate servers which could have their own separate certificates  - 
though not necessarily, the keys and certs could just be cloned across a 
server farm .
The new Oracle Traffic Director product, which is NSS-based, supports 
all the above different configurations.


Julien

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto