Bug#741005: iceweasel: using p11-kit to replace nssckbi?
geissert at debian.org
Fri Mar 7 09:55:42 UTC 2014
X-Debbugs-CC: p11-kit at packages.debian.org
Hi Mike, everyone,
With the recent switch of wheezy-security's iceweasel to using the
embedded copy of nss I was hit again by some local certificates being
missing. Sure enough, this is not a new issue and was expected.
However, I'm wondering about using p11-kit's -trust.so provider to
replace nssckbi, pretty much like described by #704180 but done
directly by nss. The aim being to finally centralise this in a way
that is, slightly, more flexible than it currently is.
Now, there are of course some downsides which include losing specific
usage and trust settings. I'm not too worried about usage settings as
much as I am for the trust bits. How could we distrust an intermediate
CA next time if we use p11-kit?
What is your opinion on all this? what other difference between the
two providers is there that I might be missing?
Thanks in advance.
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
More information about the pkg-mozilla-maintainers