Bug#741005: iceweasel: using p11-kit to replace nssckbi?

Raphael Geissert geissert at debian.org
Fri Mar 7 09:55:42 UTC 2014

Source: nss
Severity: wishlist
Version: 2:3.14.5-1
X-Debbugs-CC: p11-kit at packages.debian.org

Hi Mike, everyone,

With the recent switch of wheezy-security's iceweasel to using the
embedded copy of nss I was hit again by some local certificates being
missing. Sure enough, this is not a new issue and was expected.

However, I'm wondering about using p11-kit's -trust.so provider to
replace nssckbi, pretty much like described by #704180 but done
directly by nss. The aim being to finally centralise this in a way
that is, slightly, more flexible than it currently is.

Now, there are of course some downsides which include losing specific
usage and trust settings. I'm not too worried about usage settings as
much as I am for the trust bits. How could we distrust an intermediate
CA next time if we use p11-kit?

What is your opinion on all this? what other difference between the
two providers is there that I might be missing?

Thanks in advance.

Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

More information about the pkg-mozilla-maintainers mailing list