On Tue, 2005-04-19 at 14:53 -0700, Bob Relyea wrote: > So the world is even *MORE* complicated that this. Yes, we're aware of this complication :-) > Only about half our packages use openssl to get their SSL > implementations. The other half uses NSS. > NSS store keys in in a keyX.db file and certs in certX.db. To make > matters worst, like openSSL apps, > NSS apps typically store their own copy of the database somewhere in the > user's profile. We're not talking about user keys and certs, rather system services specific to the host which have public and private keys and certificates, the obvious examples are network services providing SSL connections, but other examples exist. > I agree we need to solve this problem, but I think we need to take a > step back and understand how > each application uses it's keys and certs. Just saying the keys and > certs live in a particular directory > is not sufficient. > > I wish I had seen this discussion earlier. It appears to have completely > punted on applications that use NSS. I'll confess I'm not that familar with NSS, but if NSS wants to store things in a .db file, and even if multiple .db files need to live in the same directory I don't see why /etc/keys or one of its subdirs wouldn't meet that requirement (.db files are just simple files, right?) But once again, just to be clear, users are NOT going to be writing their keys/certificates in /etc/keys. If a service wants to maintain a database of per user keys/certificates in /etc/keys I don't see a problem with that because its the service (running with proper permissions) who is managing that data, not the user. -- John Dennis <jdennis@xxxxxxxxxx>
