[xmlsec] another nss patch
Andrew Fan
Andrew.Fan@sun.com
Thu, 24 Jul 2003 12:25:58 +0800
Tej Arora wrote:
>Aleksey Sanin wrote:
>
> >
> > > As I mentioned before, I also want to create certificate store based
> > > on NSS certificate database handler,
> > > which will enable us use NSS other features, such as LDAP, OCSP, and
> > > various CRLs.
> >
> > I believe this is how it is implemented right now, isn't it? Tej?
>
>Yes, the cert/crl store (x509store) is the NSS db right now.
>Andrew, LDAP access is not an NSS feature - NSS does nothing
>with LDAP AFAIK, so I don't know what you mean.
>
Again, I do not illustrate the case clearly. :-( I mean that a user can
use another tools access LDAP for certificates and CRLs. If xmlSec use
certificateDB handler, user can import the certificates into certDb
temporarily, so they will work in the process of validating a
certificate. Sometime, the certificate information in xml document is
not sufficient in complex PKI environment.
>
> >
> > > And another is I want to create symmetric keys with crypto devices
> > > mechanism instead from a random generator,
> > > although it work well.
> >
> > Good! I like this idea!
> >
> > > And I also want to provide a more common key manager based on slot and
> > > certificate database.
> >
> > Not sure what do you mean by this but it sounds good to me.
>
Now every thing seems clear and clean. We use NSS slot and certificate
database. And they are the only two open thing that shared with user on
top of NSS. User can control slot and certDB in order to get what he
want. So we can design a key manager with preferences slot list( if slot
list used) and CertDB. Finding every external key from a slot, and
importing every iternal created key into a slot, importing every
internal certificated read from xml document inot CertDB, and validating
every certificate in a certain certDB. XmlSec do not care how to build a
slot list and how to manage certDB, users will admin those by
themselves. That's what I think about.
Andrew
>[...]
>