On Thu, 2014-12-11 at 09:12 +0000, David Woodhouse wrote:
> I'd love to have a Fedora Feature in F22 for PKCS#11, where 
> keys+certs from installed PKCS#11 modules are expected to Just Work™ 
> in all applications that can use certificates. Using consistent 
> PKCS#11 URIs where appropriate.

This isn't a Fedora Feature, but as of yesterday we do have packaging
guidelines in Fedora which state that:

 - Packages using X.509 certificates SHOULD support PKCS#11
 - Packages using PKCS#11 SHOULD load the p11-kit modules by default
 - Packages using PKCS#11 SHOULD accept RFC7512 URIs to specify objects

Fedora 22 has fixes for pkcs11-helper and engine_pkcs11, so it's only
really NSS that we have yet to fix.

For the use of RFC7512 PKCS#11 URIs I have filed
https://bugzilla.mozilla.org/show_bug.cgi?id=1162897 and started a
thread at
http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12204.html


For loading the correct tokens, I have filed
https://bugzilla.mozilla.org/show_bug.cgi?id=1161219 and started a
thread at
http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12230.html

I'd quite like to get NSS fixed, but I'm not entirely averse to just
going through Fedora packages and switching them to build against
GnuTLS or OpenSSL instead, if NSS is going to prove too resistant to
getting fixed :)

-- 
dwmw2

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
p11-glue mailing list
p11-glue@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/p11-glue

Reply via email to