On Sun, 2015-05-10 at 13:50 -0700, Ryan Sleevi wrote: > On Sun, May 10, 2015 12:57 pm, David Woodhouse wrote: > > On Sun, 2015-05-10 at 12:47 -0700, Ryan Sleevi wrote: > > > If the user requests NSS to load a module. It should load that module. > > > And that module only. Period. > > > > The canonical per-user way to request an application to load a module is > > NSS_Initialize and SECMOD_LoadModule. > > Respect the API. Don't violate the API.
Sure, we can modify all the applications to do this and load p11-kit-proxy.so by default. Then the example configuration I showed would actually *work*. That was the third of the potential approaches I referenced from my email at the beginning of this thread, if you recall. But if we're going to do a bombing run across NSS-using applications and patch them all, I suspect we might do better to convert them to using the Shared System Database. Then a distribution which wants to use p11-kit-proxy can just stick that in sql:/etc/pki/nssdb and we're done — and NSS doesn't have to know anything about p11-kit specifically. This was the first suggestion in my list. But my experience of trying to get the Shared System Database to work has not been entirely happy :) Certainly, having to touch *all* the apps wasn't my first choice, but if that's the consensus — if NSS *really* doesn't want to support an optional way to load an additional 'system' PKCS#11 provider by default under the right circumstances — then we can certainly attempt it. -- dwmw2 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
