On Thu, Sep 11, 2008 at 04:40:19PM -0500, Douglas E. Engert wrote: > > > Nicolas Williams wrote: > > On Thu, Sep 11, 2008 at 03:35:47PM -0500, Nicolas Williams wrote: > >> On Thu, Sep 11, 2008 at 03:11:15PM -0500, Will Fiveash wrote: > >>> If we must support "-X PKCS11:module_name=/tmp/libpkcs11.so.1" then this > > > > If we can make OpenSC accessible through libpkcs11 (and I don't see why > > not, though the fact that it uses its own pk11 header file not derived > > directly from the standard means we should check that the ABIs match) > > then we should do that and drop this option. > > Sounds reasonable for multiple vendors , but you don't have to drop the > option...
Well, Sun also has to conform to US export regulations which complicates matters in regards to how Solaris provides and uses crypto. For example, our pkcs11 crypto modules must be ELFsigned so that Sun can guarantee to the US gov. that third parties will not be able to drop in their own crypto modules. So this may be an issue pertinent to this discussion. In addition, I'm not wild about letting customers modify the code paths taken by the native Solaris krb. There are issue regarding reliability and security here. And while it's easy to say that the user should be aware of these things, often it's best not to give them the option to blow their foot off because they will inevitably blame the provider of the command they ran (in this case kinit/Sun). > Being able to use pkcs11-spy is *VERY* helpfull... Well, perhaps we can do better with Dtrace as Nico mentioned. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/
