On Thu, 2013-01-24 at 08:27 -0800, Samuel Sieb wrote: > On 01/23/2013 07:05 AM, Jaroslav Reznik wrote: > > = Features/SharedSystemCertificates = > > https://fedoraproject.org/wiki/Features/SharedSystemCertificates > > > > Feature owner(s): Kai Engert <kaie@xxxxxxxxxx>, Stef Walter <stefw@xxxxxxxxxx> > > > > Make NSS, GnuTLS, OpenSSL and Java share a default source for retrieving > > system certificate anchors and black list information. This is an initial > > but useful step in the direction of a comprehensive solution. > > > Will this finally allow deploying an extra CA system-wide that Mozilla > products will accept? Yes, if we achieve the goal to get NSS into using the new pkcs#11 library, instead of the default libnssckbi.so, without requiring application changes. We'll have to figure out how to do it. Possibly by changing /usr/lib64/libnssckbi.so to be a symbolic link to /etc/alternatives - which can then either point to a classic NSS lib - or, if our new infrastructure is active - point to the new pkcs#11 replacement. I'm not yet sure whether we would continue to ship both alternatives and use the above system of symbolic links - or whether the new dynamical-contents library would become a mandatory install right away - together with a change to stop shipping the classic static-contents library. Kai -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
