Fixing NSS and p11-kit in Fedora (and beyond)
David Woodhouse
dwmw2 at infradead.org
Fri May 8 05:50:08 PDT 2015
On Thu, 2014-12-11 at 09:12 +0000, David Woodhouse wrote:
> I'd love to have a Fedora Feature in F22 for PKCS#11, where
> keys+certs from installed PKCS#11 modules are expected to Just Workâ˘
> in all applications that can use certificates. Using consistent
> PKCS#11 URIs where appropriate.
This isn't a Fedora Feature, but as of yesterday we do have packaging
guidelines in Fedora which state that:
- Packages using X.509 certificates SHOULD support PKCS#11
- Packages using PKCS#11 SHOULD load the p11-kit modules by default
- Packages using PKCS#11 SHOULD accept RFC7512 URIs to specify objects
Fedora 22 has fixes for pkcs11-helper and engine_pkcs11, so it's only
really NSS that we have yet to fix.
For the use of RFC7512 PKCS#11 URIs I have filed
https://bugzilla.mozilla.org/show_bug.cgi?id=1162897 and started a
thread at
http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12204.html
For loading the correct tokens, I have filed
https://bugzilla.mozilla.org/show_bug.cgi?id=1161219 and started a
thread at
http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12230.html
I'd quite like to get NSS fixed, but I'm not entirely averse to just
going through Fedora packages and switching them to build against
GnuTLS or OpenSSL instead, if NSS is going to prove too resistant to
getting fixed :)
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/p11-glue/attachments/20150508/a687a7be/attachment.bin>
More information about the p11-glue
mailing list