Re: NSS and PKCS#11 versions of modules

Wed, 10 Dec 2008 17:13:29 -0800 

Nelson B Bolyard wrote:



Firefox does not allow removal. It'll be a small change to the code
to handle  removal, though it makes the slot checks more expensive.
If you could write a bug up I'd appreciate it.

        

I don't recall the details now, but as I recall, there was some nasty 
problem with shrinking sets of slots.  I think it was simply that if 
the module can shrink it while it is in use, it may cause the code
outside the module to reference a stale pointer.  Something like that. 
Do you recall the particulars?
      

The worry was compatibility. An application that was written to the 2.11 
spec might fail  (in bad ways) if actual number of slots changed. It may 
be they decided that the NULL pointer to get the count was all the 
semantic that was needed.

How many slots does FF/NSS support 
    


It's dynamic.  No fixed limit.  But presently, the list may only grow,
not shrink.


  

(if I need to add new slots with every different reader for 2 days, when
will I run out of slots..)

    

Slots typically tie to readers, which could have a token inserted or not.


I think you're talking about a common implementation where the token and
reader are one and the same, and the act of connecting the token also
connects a new reader.  One way to implement that in PKCS#11 is to add a
slot for every reader.  But I don't know of ANY implementation that

actually works that way. 

Coolkey does. When you insert a token with reader the first time, 
Coolkey creates a slot for it. When the reader is removed, the slot 
still exists, but is marked empty. When the same token is inserted, the 
slot gets reused (in some cases the slot may reused for any new token of 
the same time). In Coolkey's case whether or not a slot gets reused 
depends on the reader driver and what name the reader gives the new 
token. It's pretty easy just to mark the slot as empty until a new 
reader drops in. Software already handles insertions an removals OK.


bob



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to