comparison with other stored security state mechanisms [was: Re: Sharing Trust Policy between Crypto Libraries]
Simo Sorce
simo at redhat.com
Mon Jan 14 22:17:29 PST 2013
On Mon, 2013-01-14 at 23:55 +0100, Gabor Toth wrote:
> >>>>> On Mon, 14 Jan 2013 15:21:24 -0500, Simo Sorce <simo at redhat.com> said:
>
> > On Mon, 2013-01-14 at 20:50 +0100, Gabor Toth wrote:
> >> As for the actual implementation of the database, one option is
> >> SQLite, which already implements a proper locking scheme for shared
> >> access across many applications, to facilitate frequent read/write
> >> operations. PKCS#11 would be another option, but not sure how
> >> libraries implementing it handle shared access. How does p11-kit
> >> handle this?
>
> > You can't use SQLite across different user processes boundaries, so if
> > you want to do this 'system wide ', it is off (and anything that relies
> > on collaborative locking like fcntl locks).
>
> In order to make it really multi-user, a system-wide daemon process could
> handle the database, and applications would communicate with this process.
It would be much easier to just write files out.
Otherwise you are forced to refuse any cert if the daemon is not
available (because if you don't a DoS on the daemon can allow you to
bypass explicitly untrusted certs).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the p11-glue
mailing list