NetworkManager & PKCS#11 remoting
David Woodhouse
dwmw2 at infradead.org
Tue Jun 21 07:49:24 UTC 2016
On Tue, 2016-06-21 at 09:39 +0200, Nikos Mavrogiannopoulos wrote:
> On Mon, 2016-06-20 at 15:07 +0100, David Woodhouse wrote:
> > On Mon, 2016-06-20 at 15:50 +0200, Lubomir Rintel wrote:
> > >
> > >
> > > Another problem is that the p11-kit-remote tool needs a module
> > > name;
> > > but the VPN daemon only knows the PKCS#11 URI. Would it make sense
> > > to
> > > extend the tool to do the resolution as well? [3]
> > >
> > > [3] https://github.com/NetworkManager/p11-kit/commit/254ae1a6.patch
> > No. It should be using p11-kit-proxy.so (or loading the full set of
> > modules as indicated by the p11-kit config).
>
> Why is that? Why not resolve the URL provided and remote only the
> required module?
I thought we were generally trying to move away from explicitly loading
specific modules. If the correct set of modules is expected to be
loaded *automatically* by p11-kit config, then it shouldn't really be
*necessary* to provide it.
I'm not quite sure how the above patch works, anyway.
If I have a PKCS#11 URI of 'pkcs11:manufacturer=piv_II;id=%01' and it
doesn't have access to the card reader. Or if I have a URI of an object
in my personal gnome-keyring token... how does it get resolved to a
module name?
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/p11-glue/attachments/20160621/fb15190b/attachment.bin>
More information about the p11-glue
mailing list