106
edits
Talk:NSS Shared DB: Difference between revisions
Update to first "for" argument
(/* Review input needed: sdb_GetPWEntry and sdb_PutPWEntry: Would it be better to define a 'metadata' operation where we call the database to fetch data that is not reflected through the PKCS #11 inter) |
(Update to first "for" argument) |
||
| Line 5: | Line 5: | ||
== Review input required: is there a preference between a single DB file or separate key and cert DB files? == | == Review input required: is there a preference between a single DB file or separate key and cert DB files? == | ||
1. I have heard good arguments both for and against combining the two DBs. | 1. <Nelson> I have heard good arguments both for and against combining the two DBs. | ||
For: The cert DB contains trust information and therefore is just as security sensitive to the user as the contents of the private keys. It should be password protected (encrypted) just as the key DB already is. | For: The cert DB contains trust information and therefore is just as security sensitive to the user as the contents of the private keys. It should be password protected (encrypted) just as the key DB already is. | ||
(Update: Actually, the issue isn't secrecy of the cert DB contents, but rather integrity (authenticity). There are third party tools today that claim to be able to operate directly on NSS DBs. The worry is that someone might inject a new CA cert and mark it trusted, without the knowledge of the DB's rightful | |||
owner.) | |||