PSM is a code module in the Mozilla platform. Formerly PSM meant "personal security manager", because it was implemented as a separate program. Things have changed long ago, the code is now an internal code module. Encryption technologies (such as SSL and PKI in general) have become a mandatory part of the Mozilla applications.

The PSM acronym may also be described as "Platform Security Module".

(As a reminder, PSM is internal glue code that connects the Mozilla platform code to the external NSS libraries. It's NSS that contains the general purpose implementations for core security protocols, algorithms and much more.

This page lists areas related to PSM code that are not (yet) solved sufficiently.

Certificate Management

Invalid duplicate certificates

The PKI related standard documents for X.509 certificates and certificate infrastructures require that all certificates issued in the world follow a simple rule: The pair of {issuer-certificate-subject-name, serial number} must always be unique.

The implementation of NSS assumes that the world is perfect and no such duplicates exist. Unfortunately, in the real world mistakes are being made, and such duplicates exist. When NSS experiences such duplicates, it will get confused, which may lead to unexpected behaviour. For example, a user's storage or cache of certificates may contain a certificate A, and visiting a website may involve another certificate B, which both have the same {issuer,serial} pair. It may be impossible to visit the website, and the user may not understand the cause (and the Mozilla application will not clearly report the cause). Resolving the situation might require erasing the local storage/cache or asking the website administrator to install a different certificate.

[psm-cert-duplicates]

Error pages for invalid certificates

[psm-cert-error-pages]

Confusion around inability to delete built-in root CA certificates

PSM's certificate manager has confusing UI related to deleting certificates. Root CA certificates that are bundled with the application can not be deleted, it's impossible. They can have their trust removed, which has the same effect. The user interface should be enhanced to make this easier to understand.

[psm-cert-manager]

Ability to search for certificates

The lists of certificates shown by certificate manager can be large. An ability to search for certificate (or filter the view) would be very helpful.

We recently got a code contribution that provided this ability. Unfortunately the code did introduce regressions and it was necessary to back it out (remove it).

We are looking for an contributor who would like to help us by improving the existing patch.

[psm-cert-manager]

Next