The p11-kit trust module provides a replacement for libnssckbi.so. Firefox should be able to continue to override these system preferences with NSS trust objects stored in its softoken database.
This needs to be tested and make sure there are no surprises. Initial testing seems to show that some of the trust overrides do not get stored properly in the softtoken and continue to leak through from p11-kit trust module.
Kai noted this may be due to the fact that we have the concept of a client auth purpose, whereas NSS treats server-auth and client-auth together as a single concept.
I'll do more testing of this.
It's been a while since this has been reported, and the software has improved.
I have tested the behaviour of p11-kit 0.17.4, and it seems to work correctly.
I noticed a slight difference, but it's probably not a problem:
When using Firefox with the original libnssckbi.so, and using Firefox certificate manager to edit the trust of a CA stored in the "builtin object token", then Firefox will always know that the CA originated from the "builtin object token", and always indicate it as the origin of the CA in certificate manager.
However, when using Firefox with p11-kit-trust.so, as soon as the CA trust gets edited, then Firefox / NSS will no longer know where the CA originally came from. After the first trust edit, certificate manager will stop showing the name of the p11-kit-trust token (e.g. "Default Trust") and show "Software Security Device". Even after editing the Firefox specific trust to the state that is identical to the storage of the p11-kit-trust.so module, certificate manager will continue to label the CA with "Software Security Device".
I don't know if this slight change in behaviour could potentially cause any problems.
Closing this now. I agree that it doesn't seem like this behavior is going to cause problems.