Fixing NSS and p11-kit in Fedora (and beyond)

David Woodhouse dwmw2 at
Mon Dec 15 07:05:40 PST 2014

On Mon, 2014-12-15 at 15:30 +0100, Jaroslav Imrich wrote:
> I support the idea of updating packaging guidelines but I am not quite
> sure about the second bullet:
> "PKCS#11 modules SHOULD silently fail to load if their corresponding
> hardware is not present, or in the case of pure software tokens such
> as SoftHSM if there is no storage configured for the user in
> question."

I'm actually really tempted just to drop the guidelines for *providers*
entirely for now. Although it would be nice to use them to chase up and I suppose.

> Most PKCS#11 modules I have seen would load in such case and would
> return CKR_TOKEN_NOT_RECOGNIZED for any unknown accessible device.
> None of them was open source but I believe system wide solution should
> take also commercial closed source solutions into account.

Yeah, that's reasonable behaviour I suppose. I'll remove that
requirement. Is there anything we want to put in its place to make it
clear that tokens shouldn't misbehave if their hardware or configuration
(in the case of SoftHSM) is absent?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <>

More information about the p11-glue mailing list