On Fri, 2015-05-08 at 15:00 -0700, Ryan Sleevi wrote: > On Fri, May 8, 2015 6:09 am, David Woodhouse wrote: > > On Linux distributions it *is* the platform's > > mechanism of choice for configuring PKCS#11 tokens. NSS needs to > > support it if it wants to integrate with the platform properly. > > I'm sorry to continually push back on this, but you continue to make this > claim. This is a heady claim that lacks any evidence (so far) to support > it, beyond a particular distro.
I believe it's *all* the major distros. Fairly much anything that ships GNOME, anything that ships with a fully functional GnuTLS. But maybe I'm nit-picking :) > 1) You can't really talk about "the platform's mechanism" for Linux, > unless/until it's part of LSB. That's a good idea; we should look at including p11-kit in the LSB. But yes, I said "Linux" and that's not what I meant. Linux really means just the kernel, not the whole GNU/MIT/Xorg/etc/Linux operating system, and not the LSB either. Please forgive my laziness and pretend I actually said "all the major desktop Linux distributions" instead of just "Linux". Let's try again... It would be nice if NSS would integrate with the system-wide configuration for PKCS#11 providers that exists in all the major desktop Linux distributions. One of them has recently added packaging guidelines that its packages SHOULD do so, and for the others it's just a good idea. There, is that better? > So you can equally argue (and more accurately argue) > that p11-kit is failing to integrate with the platform properly by failing > to register itself with NSS. I'm happy with looking at it like that. Perfectly happy. So tell me: how does a PKCS#11 provider module "register itself with NSS" such that it's automatically loaded in NSS applications? I know how to do it for GnuTLS and I know how to do it for OpenSSL(+engine_pkcs11). Tell me how to do it for NSS and my work here is done. In fact, if you look at the straw-man patch I sent, that was basically all I *was* doing. It would be a configure/build-time option to load a specific module automatically. On systems that *want* it, that they'd configure it to load p11-kit-proxy.so. On others, they wouldn't. -- dwmw2 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
