Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
- From: Stef Walter <stefw collabora co uk>
- To: Nikos Mavrogiannopoulos <nmav gnutls org>
- Cc: Dan Winship <danw gnome org>, "gnome-keyring-list gnome org" <gnome-keyring-list gnome org>
- Subject: Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
- Date: Sun, 16 Jan 2011 14:11:22 -0800
On 01/12/2011 07:38 AM, Nikos Mavrogiannopoulos wrote:
> What kind of information do you store there? For gnutls what
> we need there is a list of libraries to load to access objects,
> and optionally a library that (might) provide faster crypto
> operations.
Currently we're just storing the PKCS#11 URIs for where trust assertion
objects should be looked up and/or stored.
> We need the former because loading all libraries from /usr/lib/pkcs11
> from [2] is not practical. At least in my system there are some debugging
> libraries that print funny messages to the stderr, and similar libraries
> that provide the same objects (e.g. libopensc and libopensc-one or something
> like that). Thus we need a config file that will specify the exact libraries
> for applications to use in order to access objects.
That makes sense. It of course begs the question whether unusable
libraries should be installed in /usr/lib/pkcs11, but that's an aside.
In any case, we also need a configuration file which specifies the
libraries if we want to support user configuration of pkcs11 modules
(like NSS does).
For the library listing, I would suggest something like the following,
in desktop entry format:
[name]
library=/path/to/pkcs11-module.so
enabled=TRUE
And there would be multiple files that could contain these 'groups'. For
example:
/etc/pkcs11/pkcs11.defaults
/etc/pkcs11/pkcs11.conf
~/.pkcs11/pkcs11.conf
The above would be read in order, with latter groups of the same being
loaded on top of earlier ones. This would allow (for example) the user
to disable a module provided by the system.
There would probably need to be a switch to turn off/on the loading of
the user config file, for lockdown or reasons.
At this point we would have a system similar to the XDG basedir spec
[1], but the big difference is the environment variable usage. But for
lockdown to work, we couldn't really do the environment variable stuff.
What do you think?
Stef
[1] http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]