Fedora’s Crypto Consolidation


I just found out Fedora is attempting to consolidate on Mozilla’s NSS for system-wide cryptography. I love the idea and hope it succeeds as it will make using crypto so much easier for system administrators and users.

Since humans are the weakest link in the security chain, improving the human interaction with crypto is a much bigger security win than the latest impossible-to-crack-by-the-NSA-in-a-bajillion-years algorithm. While switching libraries isn’t exactly a huge UI win, having a single application to manage all of your certificates, keys, passwords, etc. would be.

I’d love to see Debian, Ubuntu, Suse, et al, get on board as well because this is the sort of initiative that simply won’t happen upstream. Upstream developers have already chosen a crypto library and probably like it. The burden of tight integration is definitely the job of system engineers and packagers.

I submitted an Ubuntu Brainstorm Idea, so please feel free to vote on it if you’re so inclined:

I would love to submit this idea to Debian as well, but I have no idea where to even start. Probably a mailing list, but I don’t exactly have the skills to defend this proposition. Eventually bugs would need to be filed against every package that needs to be converted to NSS, but I’m afraid doing that as just-another-end-user might just anger a bunch of maintainers…

Update: Looks like the LSB is standardizing on NSS as well.

I really need to learn deb packaging…