pkcs#11 URIs

David Woodhouse dwmw2 at
Sat Jul 28 06:06:10 PDT 2012

On Sat, 2012-07-28 at 13:20 +0200, Stef Walter wrote:
> Windows, Mac OS, NSS and most applications and operating systems have
> the behavior of importing certificates/keys before they're used. It is
> the exception to use files directly. Thus it's not a surprise that
> things would work this way.
> I don't want to block your use case, and I can see your reasons and
> policy for doing it that way, but I don't think we should make the
> general user interface for certificates in GNOME work in that fashion.

We don't want the general user interface to use files at all. If we need
to do provisioning, we should implement SCEP and related protocols.

Your comparison is a bit inappropriate because Windows, OSX and NSS all
have consistent certificate storage that every application is expected
to use. If everything on Linux actually *used* NSS, that might be OK.
But that isn't the case. So we need to bring GnuTLS, OpenSSL etc., "into
the fold"... perhaps by making them use the NSS softokn modules via
p11-kit... and then that'll be fine. But still we need to make sure that
we're clear that we're *importing* the file.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <>

More information about the p11-glue mailing list