Hello, (saved this message from the moderation list, Stef, you should subscribe)
On Aug 1, 2010, at 2:21 PM, Stef wrote: > * PKCS#11 modules such as libsoftokn3.so (NSS) need a string passed > into C_Initialize pReserved. That said, such libraries are outside > the specification and such libraries are probably not supposed to be > loaded on their own anyway. Do you know other modules that *require* something in pReserved? You're probably right, I don't think that such modules should be loaded unless you need to use some software algorithm that is implemented in libsoftokn3 and which you need to access via PKCS#11 for some reason. > * The user cannot add or remove PKCS#11 modules. That said, it's > debatable whether this is necessary if each PKCS#11 module > installed configures itself appropriately. Eventually the application needs to load a single specific module, the "registry" can only help in locating a possibly suitable module, but by no means should it be the only source (if user configurability is required) nor a fixed prefix (disallowing modules not in that location). > So in the end, I agree that the "PKCS#11 Registry" based around > /usr/lib/pkcs11 is a sound concept. We'll likely end up supporting it in > gnome-keyring (for loading of smart card drivers) and seahorse (key > management UI of objects on PKCS#11 modules). > >>> Yes true. In addition there's no way to disable use of algorithms on >>> specific PKCS#11 modules. For example NSS allows one to specify whether >>> to use a module with RSA and/or DSA when installing that module. >> >> If disabling an algorithm is global you could use the PKCS#11 lib >> configuration file. /etc/opensc.conf in the case of OpenSC. >> >> Why would you need this? > > I noticed it in NSS. Not sure of all the reasons behind it. NSS is also built around PKCS#11-ish concepts. As it supports loading several PKCS#11 modules (softtoken being one of them) there could be multiple modules implementing the same algorithms. It does not make sense for hardware based keys though. -- Martin Paljak @martinpaljak.net +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
