On 08-05-15 14:38, David Woodhouse wrote:
Bug 248722¹ has been open since 2004 requesting a system-wide
configuration for PKCS#11 modules. At the time, such a thing didn't
exist.
These days it does. Modern systems ship with p11-kit², which exists
precisely to fill that gap and provide "a standard discoverable
configuration for installed PKCS#11 modules."
As an additional data point, I'd like to point out that as a PKCS#11
_provider_, having a system-wide PKCS#11 registry would avoid ugliness
like https://addons.mozilla.org/en-US/firefox/addon/belgium-eid/; the
sole reason for which this extension exists is that if we ship it
together with our PKCS#11, we don't have to include instructions that
tell people to click 10+ times¹ just to configure their browser so they
can do their tax declaration ("But I've just installed it!"). As it is,
the extension is the only way we can do all of that, but it causes a lot
of confusion (people who believe it will work if they just install the
extension from addons.mozilla.org without the PKCS#11 module, and
similar things).
In light of that, it would be great if firefox/libnss were to allow
configuration of PKCS#11 modules externally -- not just on Linux, but on
OSX and Windows too. From where I'm standing, it's perfectly fine if
there's a "did you install this" kind of question on the next firefox
start, as long as a process external to the browser can install such a
module.
Regards,
¹ = -> preferences -> advanced -> certificates -> security devices ->
load -> browse -> open -> ok -> ok -> close; that's 11 by my count (and
then you haven't selected the file yet).
--
Wouter Verhelst
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
