Re: [opensc-devel] Integrating p11-kit into pkcs11-helper?
So Stef, How do you want to proceed? On Thu, Aug 4, 2011 at 7:58 PM, Alon Bar-Lev alon.bar...@gmail.com wrote: 2011/8/4 Jean-Michel Pouré - GOOZE jmpo...@gooze.eu: Le lundi 01 août 2011 à 14:11 +0200, Stef Walter a écrit : * Initializing modules via p11-kit so that refcounting, and pInitArgs stuff works if more than one app/library in the same process uses a PKCS#11 module. * Safe forking (pkcs11-helper already does this, but p11-kit forking stuff integrates with the initialization refcounting). IMHO, the biggest stopper in the spread of OpenSC is the inability to handle several sessions on a smartcard reliably. I mean without special development in the application client side. So if p11-kit solves this multiple-access issue, this would great. Do you think p11-kit would solve the issues for: * OpenVPN * Iceweasel / Firefox This is core issue of OpenSC and should be solved within the core of OpenSC. Aka - stateless card access. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Integrating p11-kit into pkcs11-helper?
On 08/04/2011 11:30 PM, Nikos Mavrogiannopoulos wrote: * Coordinating initialization and finalizing. You referencing a bad implemented application that is use PKCS#11 in two independent places. A practical solution is to fix the library implementation (such as GnuTLS) to provide some state information. How do you know that one library is in use? How can you avoid an application being linked to both p11-kit and pkcs11-helper? My experience from gnutls is that you cannot really track indirect dependencies, and you end-up having applications linked against gnutls and openssl. If both had to access a PKCS #11 token there would be a problem. Well put. In my opinion this is the key bit where people would want pkcs11-helper to use p11-kit. But as we pointed out earlier, that's already possible with the p11-kit proxy module [1]. In any case, I understand the hesitation. Some of us are pushing forward PKCS#11 more onto mainstream desktops right now, and using it on the Desktop. Although I strongly believe this is a good course of action, it'll take a little while before we can prove this usage. Perhaps after p11-kit has proved itself, and we see how this ends up being deployed in practice, we can revisit further integration. Cheers, Stef [1] http://p11-glue.freedesktop.org/doc/p11-kit/sharing-module.html ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Integrating p11-kit into pkcs11-helper?
Le lundi 01 août 2011 à 14:11 +0200, Stef Walter a écrit : * Initializing modules via p11-kit so that refcounting, and pInitArgs stuff works if more than one app/library in the same process uses a PKCS#11 module. * Safe forking (pkcs11-helper already does this, but p11-kit forking stuff integrates with the initialization refcounting). IMHO, the biggest stopper in the spread of OpenSC is the inability to handle several sessions on a smartcard reliably. I mean without special development in the application client side. So if p11-kit solves this multiple-access issue, this would great. Do you think p11-kit would solve the issues for: * OpenVPN * Iceweasel / Firefox Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Integrating p11-kit into pkcs11-helper?
Hello Stef, I think that each project is targeting a different set of problems. I am fully opened for discussion, but this is how I see things: pkcs11-helper targets developers who like to introduce PKCS#11 into their application, especially for smartcard. It allows to minimize the user interaction and maximize the object reuse. While using the minimum set of the specification in order to allow application compatibility with most implementation. p11-kit designed to solve incompatibilities of modules and inappropriate implementation of application that use PKCS#11 by providing a baseline of the PKCS#11 spec module implementation that may proxy on or more providers. BTW: we should also outline the difference between p11-kit and NSS. Let's take your example and see where these fit: * Coordinating initialization and finalizing. You referencing a bad implemented application that is use PKCS#11 in two independent places. A practical solution is to fix the library implementation (such as GnuTLS) to provide some state information. However, a proxy baseline provider with reference count and such may indeed solve this issue. * A standard place to put configuration of which modules to load and how to load them. A PKCS#11 aware application should be expose to this information and not let some library to hide these. I also don't like libraries like NSS that have dependencies out side of the runtime environment the application is creating for them. * Allowing pkcs11-helper to load modules from a standard location. Does pkcs11-helper have a concept of a module registry? If not, this could be a nice addition provided by p11-kit. Same as above. I don't like these registries within a library (API). A proxy module may have its own configuration which is fine. * Initializing modules via p11-kit so that refcounting, and pInitArgs stuff works if more than one app/library in the same process uses a PKCS#11 module. I written above, a different (applicative) solution should be applied. * Safe forking (pkcs11-helper already does this, but p11-kit forking stuff integrates with the initialization refcounting). Yes, much of the work in pkcs11-helper was safe forking, in order to abstract the [complex] process from the developers. What do you think? Alon. On Mon, Aug 1, 2011 at 8:11 AM, Stef Walter st...@collabora.co.uk wrote: Hi Alon, Thanks for all the PKCS#11 integration work you've spearheaded across the community. You may have heard of p11-kit before. It tries to solve several problems with using PKCS#11 modules across the Desktop. In particular when multiple applications or libraries want to use the same PKCS#11 modules. Most importantly: * Coordinating initialization and finalizing. * A standard place to put configuration of which modules to load and how to load them. More documentation here: http://p11-glue.freedesktop.org/p11-kit.html p11-kit can be used as a PKCS#11 module, and as such will integrate out of the box into anything that supports PKCS#11. So pkcs11-helper can already use p11-kit. I'm interested in integrating p11-kit more closely into pkcs11-helper. But I figured I'd talk with you before hacking. Some areas where integration could take place: * Allowing pkcs11-helper to load modules from a standard location. Does pkcs11-helper have a concept of a module registry? If not, this could be a nice addition provided by p11-kit. * Initializing modules via p11-kit so that refcounting, and pInitArgs stuff works if more than one app/library in the same process uses a PKCS#11 module. * Safe forking (pkcs11-helper already does this, but p11-kit forking stuff integrates with the initialization refcounting). Perhaps more? How do this sound? Cheers, Stef ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Integrating p11-kit into pkcs11-helper?
2011/8/4 Jean-Michel Pouré - GOOZE jmpo...@gooze.eu: Le lundi 01 août 2011 à 14:11 +0200, Stef Walter a écrit : * Initializing modules via p11-kit so that refcounting, and pInitArgs stuff works if more than one app/library in the same process uses a PKCS#11 module. * Safe forking (pkcs11-helper already does this, but p11-kit forking stuff integrates with the initialization refcounting). IMHO, the biggest stopper in the spread of OpenSC is the inability to handle several sessions on a smartcard reliably. I mean without special development in the application client side. So if p11-kit solves this multiple-access issue, this would great. Do you think p11-kit would solve the issues for: * OpenVPN * Iceweasel / Firefox This is core issue of OpenSC and should be solved within the core of OpenSC. Aka - stateless card access. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Integrating p11-kit into pkcs11-helper?
On 2011-08-04 18:58, Alon Bar-Lev wrote: snip So if p11-kit solves this multiple-access issue, this would great. This is core issue of OpenSC and should be solved within the core of OpenSC. Aka - stateless card access. Another solution is to use key-containers that for standard cryptographic operations are stateless such as SKS. Anders ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Integrating p11-kit into pkcs11-helper?
On 08/04/2011 06:57 PM, Alon Bar-Lev wrote: Hello, In gnutls we dropped our own PKCS #11 back-end based on pakchois for p11-kit. I try to contribute to the discussion based on this experience. pkcs11-helper targets developers who like to introduce PKCS#11 into their application, especially for smartcard. It allows to minimize the user interaction and maximize the object reuse. While using the minimum set of the specification in order to allow application compatibility with most implementation. p11-kit designed to solve incompatibilities of modules and inappropriate implementation of application that use PKCS#11 by providing a baseline of the PKCS#11 spec module implementation that may proxy on or more providers. This does look like making them mutually exclusive. Would be good if a library satisfied both goals. * Coordinating initialization and finalizing. You referencing a bad implemented application that is use PKCS#11 in two independent places. A practical solution is to fix the library implementation (such as GnuTLS) to provide some state information. How do you know that one library is in use? How can you avoid an application being linked to both p11-kit and pkcs11-helper? My experience from gnutls is that you cannot really track indirect dependencies, and you end-up having applications linked against gnutls and openssl. If both had to access a PKCS #11 token there would be a problem. * A standard place to put configuration of which modules to load and how to load them. A PKCS#11 aware application should be expose to this information and not let some library to hide these. I also don't like libraries like NSS that have dependencies out side of the runtime environment the application is creating for them. * Allowing pkcs11-helper to load modules from a standard location. Does pkcs11-helper have a concept of a module registry? If not, this could be a nice addition provided by p11-kit. Same as above. I don't like these registries within a library (API). A proxy module may have its own configuration which is fine. You can have both. Both an application interface where each application selects the modules and a system wide registry to set the system wide available libraries. This is how gnutls is using p11-kit currently. regards, Nikos PS .But for me the main user-visible contribution of p11-kit is the usage of pkcs11 urls, which prevents having applications referencing the same objects by different identifiers. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Integrating p11-kit into pkcs11-helper?
Hi Alon, Thanks for all the PKCS#11 integration work you've spearheaded across the community. You may have heard of p11-kit before. It tries to solve several problems with using PKCS#11 modules across the Desktop. In particular when multiple applications or libraries want to use the same PKCS#11 modules. Most importantly: * Coordinating initialization and finalizing. * A standard place to put configuration of which modules to load and how to load them. More documentation here: http://p11-glue.freedesktop.org/p11-kit.html p11-kit can be used as a PKCS#11 module, and as such will integrate out of the box into anything that supports PKCS#11. So pkcs11-helper can already use p11-kit. I'm interested in integrating p11-kit more closely into pkcs11-helper. But I figured I'd talk with you before hacking. Some areas where integration could take place: * Allowing pkcs11-helper to load modules from a standard location. Does pkcs11-helper have a concept of a module registry? If not, this could be a nice addition provided by p11-kit. * Initializing modules via p11-kit so that refcounting, and pInitArgs stuff works if more than one app/library in the same process uses a PKCS#11 module. * Safe forking (pkcs11-helper already does this, but p11-kit forking stuff integrates with the initialization refcounting). Perhaps more? How do this sound? Cheers, Stef ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
