NSS PKINIT requires nsCertType extension?
ghudson at mit.edu
Wed Feb 1 11:48:48 EST 2017
On 02/01/2017 11:44 AM, Matt Rogers wrote:
>> I remember NSS having some behavior differences which made NSS PKINIT
>> not a drop-in for the OpenSSL implementation, but I don't remember if
>> this was one Nalin had discussed. I went back and looked at the
>> conversation on krbdev in September and October 2011 when we merged it,
>> but there wasn't any discussion of behavior differences there.
I found the discussion I was thinking of. It was in private mail so I
won't quote it, but the summary is that NSS doesn't seem to allow the
use of server certificates that aren't SSL certs (which I think matches
the problem you encountered). To me, that's a pretty fatal flaw in NSS
as a general-purpose X.509 library and in the NSS PKINIT support.
> If it was only used by the crypto consolidation effort then perhaps we
> can remove it (I will ask around). The cert authorization plugin
> framework needed new functions in the PKINIT crypto backend, which I
> wrote for the OpenSSL variant, so I was giving it a shot before I went
> about writing NSS versions. But I can hold off on those for now if the
> NSS support is in limbo.
More information about the krbdev