On 01/04/2012 05:17 PM, Brian Smith wrote: > Robert Relyea wrote: >> On 01/04/2012 09:04 AM, Anders Rundgren wrote: >>>> There is a capi module in the NSS source tree, but it purposefully >>>> does not surface removable CAPI modules under the assumption that >>>> such devices already have PKCS #11 modules. > While it may be true that they have PKCS#11 modules, the user probably does > not have the PKCS#11 module installed, but they probably have the CAPI module > installed. The idea motivating the consideration of supporting CAPI is to > have a "zero configuration" experience for switching from other browsers > (especially IE) to Firefox. The possibility of plug-and-play smartcards in > Windows 7 pushes us more towards CAPI support on Window > > I now have five smartcard tokens (for accessing my new Chinese bank accounts) > and they all have CAPI modules installed but only one has a PKCS#11 module > even available for me to install into Firefox. That is why I mentioned the way the PKCS #11 is currently coded. I'm not saying it has to *stay* that way.... >> I was primarily trying to avoid a loop. The CAPI drivers we use are >> CAPI to PKCS #11. The configurations I was running with had the >> PKCS #11 module installed in NSS and the CAPI to PKCS #11 module >> installed in capi. > Interesting. I did not know that. Unfortunately, I doubt there would be an > easy way to automatically locate the PKCS#11 module given the CAPI module. There may be a way to identify the CAPI to PKCS #11 module (possibly with changes to the CAPI to PKCS #11 module), and maybe even have the CAPI to PKCS #11 module tell where it's PKCS #11 module is. We could then decide to 1) not surface that module, 2) not surface that module, but provide NSS with the native PKCS #11 module to load, or 3) not load the PKCS #11 module that matches. 3 would require some changes to NSS itself. > > I am curious as to how smartcard management is supposed to work for Linux. It > seems to me that it would be ideal for Firefox to support the shared DB on > Linux. Are there OS-level tools for managing the shared DB. For example, is > there an OS-level UI for adding/removing PKCS#11 modules in Fedora/RHEL that > would make Firefox's UI for this redundant? System level PKCS #11 modules (installed by the administrater) are stored in /etc/pki/nssdb, user level pkcs #11 modules (installed by the user) are stored in ~/.pki/nssdb . User level application load both the system modules and the user modules. Now this works under the covers is described here: https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX
bob > > - Brian
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
