summaryrefslogtreecommitdiffstats
path: root/wiki/src/blueprint/persistence_iceweasel_client_certificates_preset.mdwn
diff options
context:
space:
mode:
Diffstat (limited to 'wiki/src/blueprint/persistence_iceweasel_client_certificates_preset.mdwn')
-rw-r--r--wiki/src/blueprint/persistence_iceweasel_client_certificates_preset.mdwn50
1 files changed, 50 insertions, 0 deletions
diff --git a/wiki/src/blueprint/persistence_iceweasel_client_certificates_preset.mdwn b/wiki/src/blueprint/persistence_iceweasel_client_certificates_preset.mdwn
new file mode 100644
index 0000000..e9bef15
--- /dev/null
+++ b/wiki/src/blueprint/persistence_iceweasel_client_certificates_preset.mdwn
@@ -0,0 +1,50 @@
+Persistence of client certificates in the browser would make their use a lot easier
+
+Research
+========
+
+Import method
+-------------
+
+The same approach than with bookmarks seems to be working. Candidate files are `key3.db` and/or `cert8.db` and/or `secmod.db` (<http://www-archive.mozilla.org/projects/security/pki/nss/db_formats.html>). These filenames seems to be subject to change without a notice.
+
+Another approach would be to use `pk12util` (from `nss3-tools` package, see <https://developer.mozilla.org/en-US/docs/NSS/Tools>) to import client cert (<https://developer.mozilla.org/en-US/docs/NSS/tools/NSS_Tools_pk12util>). See also `certutil` to import certificates (<http://wiki.wmtransfer.com/projects/webmoney/wiki/Installing_personal_certificate_in_Mozilla_Firefox> : <https://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil>)
+
+According to
+<https://support.mozilla.org/en-US/kb/Recovering%20important%20data%20from%20an%20old%20profile>:
+
+ - `key3.db` - This file stores your key database for your passwords.
+ - `cert8.db` - This file stores all your security certificate settings
+ and any SSL certificates you have imported into Firefox.
+
+It's being replaced by a sqlite database.
+
+One is asked passwords when importing client certificates. The [Python
+binding for
+NSS](https://www.mozilla.org/projects/security/pki/python-nss/)
+([Python
+API](http://people.redhat.com/jdennis/python-nss/doc/api/html/), [C
+API](https://developer.mozilla.org/en-US/docs/NSS#NSS_APIs)) should
+allow to do roughly the same as `pk12util` or `certutil`, but ask for
+the password graphically. But perhaps there's a GUI available
+somewhere already?
+
+If the certificate is not in PKCS #12 format, the certutil tool can be
+used to convert it.
+
+User experience
+---------------
+
+### NSS database upgrade
+
+certutil has a `--upgrade-merge` feature to *Upgrade an old database
+and merge it into a new database. This is used to migrate legacy NSS
+databases (cert8.db and key3.db) into the newer SQLite databases
+(cert9.db and key4.db).* that might be handy.
+
+However, certain certutil versions (e.g. 3.15) refuse to read or write
+any too old databases, such as the one Firefox 17 generates and uses
+with NSS 3.14.3 backported from Wheezy. We'll presumably always have
+to ship NSS and Firefox in sync' in Tails anyway. So, if we use
+certutil to perform the upgrade, then we and/or users will have to
+ensure it's done during the transition period, assuming there's one.