439
edits
Changes
→Type 1 packages: User applications
User applications should open NSS using a shared database stored in ~/.pki/nssdb in the user's home directory. If the application needs to store new certificates (like a web browser), then it should open this database read/write. User's local preferences would be stored in this database. Changes the application wants to make will occur in this database. Any user specified tokens would also be stored in this database.
In addition, the application should own open the system database /etc/pki/nssdb. This database should be opened read only. The user will typically not have permission to modify this database. This database will provide system level defaults for tokens to load and root certs to trust. This gives us hooks form things like IPA to manage and distribute trusted root certs system wide.
[I'm almost certain there's a typo there - how can every application *own* the system database? Don't you mean *open*?- bob: you are correct, changed.]
== Type 2 packages: Services applications ==