NSS currently does not support the standard CKA_TRUSTED attribute and has defined its own trust attributes. We currently do not examine these NSS attributes, so any NSS token (softtoken or their trust anchor token) will show up without any trusted certificates in the PKCS11 KeyStore.

This is a significant limitation for applications that want to access the NSS databases from Java (e.g. JES stack and Plugin). Supporting those attributes may also allow us to add trusted certificates to NSS tokens, which is something that is not possible with the CKA_TRUSTED attribute, which is defined as read-only in PKCS#11.