On Tue, 2015-05-12 at 10:17 -0700, Ryan Sleevi wrote:
> On Tue, May 12, 2015 9:44 am, Peter Bowen wrote:
> > How about an even simpler solution? Don't have p11-kit load the
> > PKCS#11 modules, just provide a list of paths and let the application
> > pass those to NSS. That way the applicatio
On 11-05-15 20:21, Ryan Sleevi wrote:
On Mon, May 11, 2015 4:09 am, David Woodhouse wrote:
I completely agree that Chrome should only ever load the modules which
are configured to be loaded into Chrome. I'm surprised you feel the
need to mention that.
Because you still don't understand,
On Tue, May 12, 2015 9:44 am, Peter Bowen wrote:
> How about an even simpler solution? Don't have p11-kit load the
> PKCS#11 modules, just provide a list of paths and let the application
> pass those to NSS. That way the application can choose to
> transparently load modules without user int
On Tue, May 12, 2015 at 8:40 AM, David Woodhouse wrote:
> On Mon, 2015-05-11 at 11:21 -0700, Ryan Sleevi wrote:
>> It's not simply sufficient to load module X into Chrome or not. p11-kit's
>> security model is *broken* for applications like Chrome, at least with
>> respect to how you propose to im
On Mon, 2015-05-11 at 11:21 -0700, Ryan Sleevi wrote:
> It's not simply sufficient to load module X into Chrome or not. p11-kit's
> security model is *broken* for applications like Chrome, at least with
> respect to how you propose to implement.
I've proposed at least four different options and as
On Mon, 2015-05-11 at 11:24 -1000, Brian Smith wrote:
>
> Said differently, there is nothing special about Linux. Just as Firefox
> intentionally doesn't use Windows's central certificate trust database on
> Windows, and just as it doesn't use Mac OS X's central certificate trust
> database on Mac
David Woodhouse wrote:
> The sysadmin should be able to configure things for *all* users
> according to the desired policy, rather than forcing each user to set
> things up for themselves.
>
> And in turn the *developers* of the operating system distribution
> should be able to set a default poli
On Mon, May 11, 2015 4:09 am, David Woodhouse wrote:
> I completely agree that Chrome should only ever load the modules which
> are configured to be loaded into Chrome. I'm surprised you feel the
> need to mention that.
Because you still don't understand, despite how many ways I'm trying to
say
On Sun, 2015-05-10 at 12:47 -0700, Ryan Sleevi wrote:
>
> - Don't load a module unless the user has explicitly asked or configured
> that module to be loaded.
> - Do not patch NSS to load modules outside of the explicitly requested
> modules.
Quite right; that's absolutely how we should behave.
On Sun, 2015-05-10 at 13:50 -0700, Ryan Sleevi wrote:
> On Sun, May 10, 2015 12:57 pm, David Woodhouse wrote:
> > On Sun, 2015-05-10 at 12:47 -0700, Ryan Sleevi wrote:
> > > If the user requests NSS to load a module. It should load that module.
> > > And that module only. Period.
> >
> > The cano
On Sun, May 10, 2015 12:57 pm, David Woodhouse wrote:
> On Sun, 2015-05-10 at 12:47 -0700, Ryan Sleevi wrote:
> > If the user requests NSS to load a module. It should load that module.
> > And that module only. Period.
>
> The canonical per-user way to request an application to load a module is
On Sun, 2015-05-10 at 12:47 -0700, Ryan Sleevi wrote:
> If the user requests NSS to load a module. It should load that module.
> And that module only. Period.
The canonical per-user way to request an application to load a module is
for me to create a file in ~/.config/pkcs11/modules/*.module which
On Sun, 2015-05-10 at 12:11 -0700, Ryan Sleevi wrote:
> On Sat, May 9, 2015 3:30 pm, David Woodhouse wrote:
> > > No, you should be able to do it w/o patching NSS.
> >
> > OK... how?
> >
> > If the Shared System Database wasn't such an utter failure, not even
> > being used by Firefox itself, th
On Sun, May 10, 2015 12:31 pm, David Woodhouse wrote:
> > You don't need to expose it to the sandbox to use PKCS#11 in the web
> > browser. That's not how modern sandboxed browsers work.
>
> That sounds like a bit of a failure of the sandboxing to me. Just so I
> understand what you're saying...
On Sun, 2015-05-10 at 12:07 -0700, Ryan Sleevi wrote:
> On Sat, May 9, 2015 3:30 pm, David Woodhouse wrote:
> > On Fri, 2015-05-08 at 15:07 -0700, Ryan Sleevi wrote:
> > > Yes, it should. You'll introduce your users to a host of security issues
> > > if you ignore them (especially for situations l
On Sat, May 9, 2015 3:30 pm, David Woodhouse wrote:
> > No, you should be able to do it w/o patching NSS.
>
> OK... how?
>
> If the Shared System Database wasn't such an utter failure, not even
> being used by Firefox itself, then just installing it there would have
> been a nice idea. But *not
On Sat, May 9, 2015 3:30 pm, David Woodhouse wrote:
> On Fri, 2015-05-08 at 15:07 -0700, Ryan Sleevi wrote:
> > Yes, it should. You'll introduce your users to a host of security issues
> > if you ignore them (especially for situations like Chrome). For example,
> > if you did what you propose to d
On Fri, 2015-05-08 at 15:00 -0700, Ryan Sleevi wrote:
> On Fri, May 8, 2015 6:09 am, David Woodhouse wrote:
> > On Linux distributions it *is* the platform's
> > mechanism of choice for configuring PKCS#11 tokens. NSS needs to
> > support it if it wants to integrate with the platform properly.
>
On Fri, 2015-05-08 at 15:07 -0700, Ryan Sleevi wrote:
> On Fri, May 8, 2015 5:38 am, David Woodhouse wrote:
> > These days it does. Modern systems ship with p11-kit², which exists
> > precisely to fill that gap and provide "a standard discoverable
> > configuration for installed PKCS#11 modules
On Fri, May 8, 2015 5:38 am, David Woodhouse wrote:
> These days it does. Modern systems ship with p11-kit², which exists
> precisely to fill that gap and provide "a standard discoverable
> configuration for installed PKCS#11 modules."
Your citation ( http://p11-glue.freedesktop.org/p11-kit.ht
On Fri, May 8, 2015 6:09 am, David Woodhouse wrote:
> On Linux distributions it *is* the platform's
> mechanism of choice for configuring PKCS#11 tokens. NSS needs to
> support it if it wants to integrate with the platform properly.
I'm sorry to continually push back on this, but you continue t
On 08-05-15 15:46, David Woodhouse wrote:
FWIW on Linux your installer/package needs to be shipping a module
file like the one in /usr/share/p11-kit/modules/opensc.module
Well, since p11-kit is not found on the older distributions that we
still support, and non-functional on some newer distrib
On Fri, 2015-05-08 at 15:23 +0200, Wouter Verhelst wrote:
> On 08-05-15 15:09, David Woodhouse wrote:
> > On Fri, 2015-05-08 at 14:58 +0200, Wouter Verhelst wrote:
> > > In light of that, it would be great if firefox/libnss were to
> > > allow
> > > configuration of PKCS#11 modules externally -- n
On 08-05-15 15:09, David Woodhouse wrote:
On Fri, 2015-05-08 at 14:58 +0200, Wouter Verhelst wrote:
In light of that, it would be great if firefox/libnss were to allow
configuration of PKCS#11 modules externally -- not just on Linux,
but on OSX and Windows too.
Well, p11-kit does build on OSX
On Fri, 2015-05-08 at 14:58 +0200, Wouter Verhelst wrote:
> In light of that, it would be great if firefox/libnss were to allow
> configuration of PKCS#11 modules externally -- not just on Linux,
> but on OSX and Windows too.
Well, p11-kit does build on OSX and Windows too but it doesn't have
th
On 08-05-15 14:38, David Woodhouse wrote:
Bug 248722¹ has been open since 2004 requesting a system-wide
configuration for PKCS#11 modules. At the time, such a thing didn't
exist.
These days it does. Modern systems ship with p11-kit², which exists
precisely to fill that gap and provide "a standar
Bug 248722¹ has been open since 2004 requesting a system-wide
configuration for PKCS#11 modules. At the time, such a thing didn't
exist.
These days it does. Modern systems ship with p11-kit², which exists
precisely to fill that gap and provide "a standard discoverable
configuration for installed P
27 matches
Mail list logo
