Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]

From: Stef Walter <stefw collabora co uk>
To: Nikos Mavrogiannopoulos <nmav gnutls org>
Cc: Dan Winship <danw gnome org>, "gnome-keyring-list gnome org" <gnome-keyring-list gnome org>
Subject: Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
Date: Wed, 19 Jan 2011 09:20:11 -0600

On 01/19/2011 03:08 AM, Nikos Mavrogiannopoulos wrote:
> On 01/16/2011 11:11 PM, Stef Walter wrote:
> 
>> In any case, we also need a configuration file which specifies the
>> libraries if we want to support user configuration of pkcs11 modules
>> (like NSS does).
>>
>> For the library listing, I would suggest something like the following,
>> in desktop entry format:
>>
>> [name]
>> library=/path/to/pkcs11-module.so
>> enabled=TRUE
> 
> I would need a type field as well, that says something like:
> 
> # this module is to be used for hardware acceleration of crypto
> # operations.
> acceleration=true

Good, makes sense. Although do we need that to be more fine grained
saying which mechanisms are accelerated?

FWIW, NSS has the concept of a set of mechanisms for which a PKCS#11
module is the default provider. You can see this in modutil. Does
something like that make sense for this configuration file.

> (are actually comments supported? Is '#' a sensible default?)

Yup [1].

>> /etc/pkcs11/pkcs11.defaults
>> /etc/pkcs11/pkcs11.conf
> Why two in /etc/pkcs11? Wouldn't a single pkcs11.conf do?

The concept was that one would be installed, and the other would be
configurable by a sysadmin. But actually I goofed up ... I think we may
need more than two now that we're describing which modules to load.

I think that each provider should be able to install a config file into
the /etc/pkcs11 directory. All the files in there should be read
alphabetically in turn, with groups merging with other groups of the
same name in other files.

We discussed this multi-file concept a bit before.

Then if lockdown is not in force, the user file (ie:
~/.pkcs11/pkcs11.conf -- or maybe we need mulitple files here?) would be
loaded and the section in the user file merged (and same values
override) those in the system config.

Of course there's the big question of whether PKCS#11 modules should be
user configurable or not. It's easy to argue that an application wishing
to install a PKCS#11 module for the whole desktop should need to prompt
the user for elevated privileges.

Also should there be a special file for global settings? Or (I like this
better) a specially named group. If the latter than it makes installing
defaults, and then overriding them much easier.

How does that sound? It may be slightly more complex, but on the other
hand if we don't allow multiple files here, then each distro interested
in packaging pkcs11 modules properly will have to invent their own
configuration system, which then somehow they merge into a single
configuration.

On the other hand, the simplicity of having a special directory where
you place (or link) modules that should be loaded is very appealing. Of
course we also need a configuration file, but then it would be just for
extra options.

Cheers,

Stef

[1] http://standards.freedesktop.org/desktop-entry-spec/latest/ar01s02.html

Follow-Ups:
- Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
  - From: Nikos Mavrogiannopoulos

References:
- Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
  - From: Stef Walter
- Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
  - From: Nikos Mavrogiannopoulos
- Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
  - From: Stef Walter
- Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
  - From: Nikos Mavrogiannopoulos

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]