[Andy Lutomirski] Re: [TLS] multiple clients in one process (was: Re: Deployment ... Re: This working group has failed)

Stef Walter stef at thewalter.net
Wed Nov 27 06:12:03 PST 2013


p11-kit solves the concurrency issue, with multiple callers of gnutls in
the same process. Although it's still possible for someone to use a
fragile PKCS#11 module directly with gnutls, that's not the default
behavior.

Secondly, I'm working actively in the PKCS#11 OASIS TC (even though such
work can be tedious), to solve the inate PKCS#11 issues with multiple
callers in a process. Progress has been made, and it's looking likely
that we'll have fixed this in a future version of the PKCS#11 standard
itself.

But until then: p11-kit does aim to fix this exact case. If there is a
specific issue, or corner case that we've missed, I would love to hear
details.

And no, PKCS#11 is not beautiful, but working-around some of it's
inadequacies (while also fixing them for real in the TC) has been
preferable to rewriting the Linux world + all the drivers to use
something else.

All the best,

Stef

On 27.11.2013 09:12, Daniel Kahn Gillmor wrote:
> hey gnutls and p11-kit folks--
> 
> this message came up on the IETF TLS WG list, as a particular complaint
> about the relationship between gnutls and pkcs11 making it more
> difficult to use gnutls than it should be.
> 
> I'm not sure if there is anything concrete to address here (or if there
> is, if it would be doable without API or ABI breakage), but i just
> wanted to make sure that the developers are aware that the concern has
> been aired publicly.  If the concern can be addressed and fixed, that
> would be great.
> 
> If you think the concern raised is a misconception, or if there is a
> particular way to avoid the implied risks with forking or
> multithreading, i would be happy to relay any relevant clarifications to
> the TLS WG.
> 
>       --dkg


-- 

stef at thewalter.net
http://stef.thewalter.net


More information about the p11-glue mailing list