On Fri, May 8, 2015 5:38 am, David Woodhouse wrote: > These days it does. Modern systems ship with p11-kit², which exists > precisely to fill that gap and provide "a standard discoverable > configuration for installed PKCS#11 modules."
Your citation ( http://p11-glue.freedesktop.org/p11-kit.html ) fails to support your claim that "modern systems ship it", as I've noted elsewhere. > Although it happens to be Fedora which is first, we obviously expect > other distributions and operating systems to follow suit â in > practice, even if not with official packaging policy mandates. And of course, this note - that it's Fedora only - directly counters the claim above that "modern systems ship" (it's an implied subject that _all_ modern systems do so, which is incorrect. It's not even fair to say _some_ modern systems support it, since it seems, from your evidence, that _one_ modern system requires it) > Does this seem like the right approach? No, you should be able to do it w/o patching NSS. > Under precisely what > circumstances should we be doing it â should it be affected by the > noModDB and noCertDB flags? Yes, it should. You'll introduce your users to a host of security issues if you ignore them (especially for situations like Chrome). For example, if you did what you propose to do, you'd be exposing people's smart card modules to arbitrary sandboxed Chrome processes - a step BACK for security that would introduce huge attack surface (by transitive loading of all those modules dependencies, including p11-kit's) > We may wish to give some consideration to how that would work when it > is being loaded into an NSS application which might have its own > database in another directory (some broken applications like Firefox > still don't use ~/.pki/nssdb â¹) or indeed in the *same* directory > (like Chrome does). And consideration to some applications (like Chrome) that would not want to load it. As I've said elsewhere, I'm not fundamentally opposed to p11-kit, but I do hope you can take this considerations in approach and claims into consideration before advocating support. I appreciate you're enthusiastic, and I'm not trying to tell you no, but I am trying to help you understand that you're not exactly going to win advocates with the current approach. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
