Fixing NSS and p11-kit in Fedora (and beyond)

Jaroslav Imrich jaroslav.imrich at
Mon Dec 15 06:30:20 PST 2014

I support the idea of updating packaging guidelines but I am not quite sure
about the second bullet:
"PKCS#11 modules SHOULD silently fail to load if their corresponding
hardware is not present, or in the case of pure software tokens such as
SoftHSM if there is no storage configured for the user in question."

Most PKCS#11 modules I have seen would load in such case and would return
CKR_TOKEN_NOT_RECOGNIZED for any unknown accessible device. None of them
was open source but I believe system wide solution should take also
commercial closed source solutions into account.

Regards, Jaroslav

On Mon, Dec 15, 2014 at 2:59 PM, David Woodhouse <dwmw2 at>
> On Fri, 2014-12-12 at 09:22 +0100, Stef Walter wrote:
> > On 11.12.2014 10:12, David Woodhouse wrote:
> > > I'd love to have a Fedora Feature in F22 for PKCS#11, where keys+certs
> > > from installed PKCS#11 modules are expected to Just Work™ in all
> > > applications that can use certificates. Using consistent PKCS#11 URIs
> > > where appropriate. Even if we aren't ready for a Feature, I'd love to
> > > make some more progress in that direction. Obviously none of this is
> > > really Fedora-specific, but if we can get it right in Fedora (as we did
> > > for the trust stuff), other distributions can follow.
> >
> > I believe there's an open process for proposing Fedora Features and I
> > think it's going on right now. But I agree that doing all of this in a
> > few months is a bit much to bite off, even for someone as tireless as
> > you :D
> >
> > But progress in that direction is great.
> I've also filed a request to update the packaging guidelines:
> --
> dwmw2
> _______________________________________________
> p11-glue mailing list
> p11-glue at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the p11-glue mailing list