On 08/01/2010 11:25 AM, Ludovic Rousseau wrote: > You can consider the library filename to _be_ the configuration file. > For example the OpenSC PKCS#11 lib is installed in /usr/lib/opensc-pkcs11.so > And a symbolic link is present in /usr/lib/pkcs11/ and points to the library
Make sense. It looks like a good way to implement things in GNOME. That said, such a simple configuration (ie: /usr/lib/pkcs11) may not work in the following cases: * PKCS#11 modules such as libsoftokn3.so (NSS) need a string passed into C_Initialize pReserved. That said, such libraries are outside the specification and such libraries are probably not supposed to be loaded on their own anyway. * The user cannot add or remove PKCS#11 modules. That said, it's debatable whether this is necessary if each PKCS#11 module installed configures itself appropriately. So in the end, I agree that the "PKCS#11 Registry" based around /usr/lib/pkcs11 is a sound concept. We'll likely end up supporting it in gnome-keyring (for loading of smart card drivers) and seahorse (key management UI of objects on PKCS#11 modules). >> Yes true. In addition there's no way to disable use of algorithms on >> specific PKCS#11 modules. For example NSS allows one to specify whether >> to use a module with RSA and/or DSA when installing that module. > > If disabling an algorithm is global you could use the PKCS#11 lib > configuration file. /etc/opensc.conf in the case of OpenSC. > > Why would you need this? I noticed it in NSS. Not sure of all the reasons behind it. Cheers, Stef _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
