Bug#741005: iceweasel: using p11-kit to replace nssckbi?

Laurent Bigonville bigon at debian.org
Thu Mar 2 16:16:54 UTC 2017

On Fri, 7 Mar 2014 10:55:42 +0100 Raphael Geissert <geissert at debian.org> 

 > Hi Mike, everyone,
 > With the recent switch of wheezy-security's iceweasel to using the
 > embedded copy of nss I was hit again by some local certificates being
 > missing. Sure enough, this is not a new issue and was expected.
 > However, I'm wondering about using p11-kit's -trust.so provider to
 > replace nssckbi, pretty much like described by #704180 but done
 > directly by nss. The aim being to finally centralise this in a way
 > that is, slightly, more flexible than it currently is.
 > Now, there are of course some downsides which include losing specific
 > usage and trust settings. I'm not too worried about usage settings as
 > much as I am for the trust bits. How could we distrust an intermediate
 > CA next time if we use p11-kit?
 > What is your opinion on all this? what other difference between the
 > two providers is there that I might be missing?
 > Thanks in advance.
 > Cheers,

FTR, is trying to do something similar and use p11-kit for everything:


More information about the pkg-mozilla-maintainers mailing list