On Tue, 2014-12-09 at 06:00 +0100, Stef Walter wrote: > On 05.12.2014 21:26, David Woodhouse wrote: > > Is this an accurate rendition of how this stuff *ought* to look to > > users? > > > > http://www.infradead.org/openconnect/pkcs11.html > > My two take aways: > > * It's unfortunate that you need three different tools installed.
Well, it's only one 'tool', isn't it? Just p11tool.
And OpenConnect itself, of course, and you need it to be built with
GnuTLS+p11-kit support. But that's a fairly fundamental, and entirely
reasonable, requirement.
> There is some support for listing things in p11-kit, but i guess it
> isn't enough?
Yeah, /usr/bin/p11-kit has a 'list-modules' option but it doesn't give
you the PKCS#11 URI for the slots, and it doesn't have a way that I'm
aware of to list the *objects* therein.
For now, since GnuTLS is the *only* library that can sanely use PKCS#11
URIs, it's not *so* bad to require a tool that comes with GnuTLS.
We *really* ought to fix ENGINE_PKCS11 to use PKCS#11 URIs instead of
its own text format, so that OpenSSL applications can work. By
symlinking p11-kit-proxy.so from libnssckbi.so we can get the p11-kit
configured modules to show up in NSS, but there's also work to be done
there to allow objects to be selected with a PKCS#11 URI.
I'd love for one of the more progressive distributions to come up with a
'Feature' for an upcoming release which is "All apps which use
certificates shall use p11-kit and work with PKCS#11 URIs". After all,
we've already got "all apps use the system trust from p11-kit-trust",
working *even* for apps that use NSS and OpenSSL. This is just the
logical next step.
> * One really wants a GUI selector that uses a pkcs11 URI behind the
> scenes.
We have a start on this, in gcr. For more discussion see the open
NetworkManager-${ALLVPN} bug in https://bugzilla.gnome.org/679860
--
dwmw2
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ p11-glue mailing list p11-glue@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/p11-glue
