On 08-05-15 15:09, David Woodhouse wrote:
On Fri, 2015-05-08 at 14:58 +0200, Wouter Verhelst wrote:
In light of that, it would be great if firefox/libnss were to allow
configuration of PKCS#11 modules externally -- not just on Linux,
but on OSX and Windows too.
Well, p11-kit does build on OSX and Windows too but it doesn't have
the same status there. On Linux distributions it *is* the platform's
mechanism of choice for configuring PKCS#11 tokens. NSS needs to
support it if it wants to integrate with the platform properly.
On OSX and Windows, p11-kit is just some third-party software.
Which would mean that if this gets to be "the way to do it", we don't
fix the problem on those platforms -- instead, we just move it from
"install an individual PKCS#11 module" to "install p11-kit".
But then again, isn't PKCS#11 itself an impostor on those platforms
anyway?
Yeah, sortof. That is, Windows' and OSX' native browsers (IE and Safari)
each have their very own model of dealing with crypto hardware, which in
neither case involves PKCS#11 (I must admit that my colleague knows the
details there better than I do, though).
Firefox is the odd one out in that regard, where it doesn't use the
platform-specific crypto hardware APIs. That isn't a problem from our
POV (we support PKCS#11 for more than just firefox; and even if that
wasn't the case, having an option that uses a different mechanism is
useful as a debugging aid); but it does mean that with the current state
of affairs, Firefox is the only browser that doesn't support installing
our eID middleware without a step internal to the browser -- except for
Chrome on Linux, since it also uses libnss there.
Windows has a *different* model for installing crypto hardware —
really, your problem on Windows is that NSS doesn't use nss_capi by
default, isn't it? (And that nss_capi hasn't been updated to CNG and
that you should be shipping a minidriver or a CSP...)
I think the same is true for OSX, with something like PKCS11_keychain?
Something along those lines, yes. As I said, I'm not too sure about the
details here, since my colleague usually deals with those.
--
Wouter Verhelst
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
