Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
mozilla.dev.planning
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
Message from discussion NSS 3.12 codesize hit (Was: Milestone Scheduling)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Jean-Marc Desperrier  
View profile  
 More options Jul 23 2007, 7:52 am
Newsgroups: mozilla.dev.planning
From: Jean-Marc Desperrier <jmd...@alussinan.org>
Date: Mon, 23 Jul 2007 13:52:54 +0200
Local: Mon, Jul 23 2007 7:52 am
Subject: Re: NSS 3.12 codesize hit (Was: Milestone Scheduling)
Print | View thread | Show original | Report this message | Find messages by this author

Mike Connor wrote:
> "Libpkix provides a much more complete an modern parsing of
> certificates, most importantly policy parsing and handling cross
> certificate environments correctly. Both of these are needed for EV (the
> primary driver of getting libpkix in). (It also includes such things a
> on the fly fetching of intermediate certs."

I am not so convinced those elements are so absolutly required to
support EV certificates. After all, verisign did an EV extension that
works with the current Firefox, even if it's very certainly taking some
ugly short-cuts.

The NSS team also says that most of the support for EV cert should be
inside PSM and not NSS (bug 374336, 375666,
news://news.mozilla.org:23/fM2dnQ0AXqlgvWbYnZ2dnUVZ_smon...@mozilla.org ),
and by extending the part that's inside PSM it might be possible to
support EV certs without changing NSS. I'm sure the required policy
checking can be done outside of NSS (only a small part of what libpkix
supports is really required). The cross-certificates part also seem
solvable from what I've undertood about what is really done by CAs in
practice (by reading http://alwayson.goingon.com/permalink/post/7871).
If we give PSM knowledge of both the self-signed EV cert and the
cross-signed one, then it doesn't really matter what way NSS handles the
cross-cert path.

Of course, it would be much nicer to just use NSS 3.12, that bring many
other long awaited features (shared db !), but that code changes lot of
things and still seems very alpha.
http://wiki.mozilla.org/NSS_Shared_DB_Samples
"prealpha shared database code" (this is the description as of 8 june)


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2012 Google