[xmlsec] another nss patch

[Andrew Fan]

Tej Arora wrote:

>Aleksey Sanin wrote:
>
> >
> > > As I mentioned before, I also want to create certificate store based
> > > on NSS certificate database handler,
> > > which will enable us use NSS other features, such as LDAP, OCSP, and
> > > various CRLs.
> >
> > I believe this is how it is implemented right now, isn't it? Tej?
>
>Yes, the cert/crl store (x509store) is the NSS db right now.
>Andrew, LDAP access is not an NSS feature - NSS does nothing
>with LDAP AFAIK, so I don't know what you mean.
>
Again, I do not illustrate the case clearly. :-(  I mean that a user can 
use another tools access LDAP for certificates and CRLs. If xmlSec use 
certificateDB handler, user can import the certificates into certDb 
temporarily, so they will work in the process of validating a 
certificate. Sometime, the certificate information in xml document is 
not sufficient in complex PKI environment.

>
> >
> > > And another is I want to create symmetric keys with crypto devices
> > > mechanism instead from a random generator,
> > > although it work well.
> >
> > Good! I like this idea!
> >
> > > And I also want to provide a more common key manager based on slot and
> > > certificate database.
> >
> > Not sure what do you mean by this but it sounds good to me.
>
Now every thing seems clear and clean. We use NSS slot and certificate 
database. And they are the only two open thing that shared with user on 
top of NSS. User can control slot and certDB in order to get what he 
want. So we can design a key manager with preferences slot list( if slot 
list used) and CertDB. Finding every external key from a slot, and 
importing every iternal created key into a slot, importing every 
internal certificated read from xml document inot CertDB, and validating 
every certificate in a certain certDB. XmlSec do not care how to build a 
slot list and how to manage certDB, users will admin those by 
themselves. That's what I think about.

Andrew

>[...]
>