by Stutzman, David K CTR USA AMC
I have several dogtag installations and a couple are EC enabled according to the directions at http://pki.fedoraproject.org/wiki?title=ECC_Enabling_Dogtag.
Part of that is building a special NSS: http://pki.fedoraproject.org/wiki/ECC_Capable_NSS.
I followed all this and I have the 2 CAs up and running. There a couple outstanding bugs I have that, when fixed, I'll be needing to update the Dogtag RPMs. The problem is, doing so will overwrite my custom NSS with the nss required as a dep of the rest of the RPMs. For now I have added an ignore to the yum configuration on the 2 CAs in question, but when I need to update the rest of the RPMs I'll have the problem. I'd like to not have to rebuild, by hand, NSS each time I update the CA which requres an NSS update. I also don't necessarily want to keep using the same old NSS and ignore fixes in newer versions that may or may not be required by newer Dogtag components.
So, I'm asking if it would be possible to make the NSS that is required by Dogtag one that is built according to the ECC directions, or have 2 different packages that could satisfy the NSS dependency. Dogtag out of the box has EC referenced all through the GUI, config files, etc and it's quite misleading to the user. I spoke with Rob C (rcrit) in the dogtag IRC channel and he suggested I bring this up on this mailing list for discussion.
I've spoken with some people in the past questioning the need for the special treatment of ECC in NSS as NSS has an EC implementation already. The directions above effectively strip that implementation out and require a 3rd party PKCS#11 module that implements the ECC algorithms. I'm only interested in the 3 "Suite B" curves implemented in the basic EC side of things in NSS. Rob suggested it might be because you don't want to change the softtoken because of FIPS but he was guessing.