This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Possible systemtap/NSS areas of extension

From: Josh Stone <jistone at redhat dot com>
To: systemtap at sourceware dot org
Date: Thu, 14 Feb 2013 09:01:39 -0800
Subject: Re: Possible systemtap/NSS areas of extension
References: <1419415114.2640359.1360835210874.JavaMail.root@redhat.com>

On 02/14/2013 01:46 AM, Nathan Scott wrote:
> 4. system-wide NSS database
> - There appears to be a move toward consolidation of system/host
>   certificate databases, at least for NSS-based databases.  An
>   API has been added to facilitate transitioning to use of the
>   system-wide shared SQL NSS database - NSSInitWithMerge.  It'd
>   be an option for systemtap, if transitioning to the new form
>   is considered a desirable feature at some point, to use this
>   to merge the existing systemtap database with the system-wide
>   database.

Perhaps I misunderstand you, but we need to be really careful due to
what is implied by the certificates we accept.  We need not just "this
host's claimed identity is confirmed" but also "I trust this host to
feed me a module which I'll load in my kernel."  A systemwide database
for the likes of internet browsers is certainly not suitable for that
kernel level of trust.

Follow-Ups:
- Re: Possible systemtap/NSS areas of extension
  - From: Nathan Scott

References:
- Possible systemtap/NSS areas of extension
  - From: Nathan Scott

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]