Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
- From: Nikos Mavrogiannopoulos <n mavrogiannopoulos gmail com>
- To: Stef Walter <stefw collabora co uk>
- Cc: Dan Winship <danw gnome org>, "gnome-keyring-list gnome org" <gnome-keyring-list gnome org>
- Subject: Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
- Date: Wed, 22 Dec 2010 20:44:05 +0100
On 12/22/2010 07:41 PM, Stef Walter wrote:
>>> In the files we use PKCS#11 URIs to identify which slots to use
>>> for what. One problem is that there is no way to specify the
>>> module file name in a PKCS#11 URI. This prevents us from an
>>> airtight identification of the relevant PKCS#11 slot. I'll bring
>>> this up to the PKCS#11 URI authors.
>>
>> Actually the -03 version of pkcs11url can specify the module. We
>> use it already in gnutls to specify precisely an object. The
>> options referring to library are: library-manufacturer,
>> library-description and even library-version... Unless I didn't get
>> what is meant by library.
>
> Interesting. Well I was referring to use of the actual module path in
> the URI. This would provide an airtight link between the URI and the
> module that we actually want to use for the trust assertions. Do the
> library-manufacturer, library-description and library-version URI
> arguments provide the same hard to spoof connection between the URI
> and the module?
Given that we are not considering malicious modules being loaded, then
they can be made to. It is the information from CK_INFO structure
provided by each module and if each module/library provides sensible
information, those can be used to distinguish between them.
regards,
Nikos
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
