NSS PKINIT requires nsCertType extension?

Greg Hudson ghudson at mit.edu
Wed Feb 1 11:48:48 EST 2017

On 02/01/2017 11:44 AM, Matt Rogers wrote:
>> I remember NSS having some behavior differences which made NSS PKINIT
>> not a drop-in for the OpenSSL implementation, but I don't remember if
>> this was one Nalin had discussed.  I went back and looked at the
>> conversation on krbdev in September and October 2011 when we merged it,
>> but there wasn't any discussion of behavior differences there.

I found the discussion I was thinking of.  It was in private mail so I
won't quote it, but the summary is that NSS doesn't seem to allow the
use of server certificates that aren't SSL certs (which I think matches
the problem you encountered).  To me, that's a pretty fatal flaw in NSS
as a general-purpose X.509 library and in the NSS PKINIT support.

> If it was only used by the crypto consolidation effort then perhaps we
> can remove it (I will ask around). The cert authorization plugin
> framework needed new functions in the PKINIT crypto backend, which I
> wrote for the OpenSSL variant, so I was giving it a shot before I went
> about writing NSS versions. But I can hold off on those for now if the
> NSS support is in limbo.

Sounds good.

More information about the krbdev mailing list