Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]

From: Nikos Mavrogiannopoulos <nmav gnutls org>
To: Stef Walter <stefw collabora co uk>
Cc: Dan Winship <danw gnome org>, "gnome-keyring-list gnome org" <gnome-keyring-list gnome org>
Subject: Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
Date: Wed, 19 Jan 2011 17:07:21 +0100

On 01/19/2011 04:20 PM, Stef Walter wrote:

> Good, makes sense. Although do we need that to be more fine grained 
> saying which mechanisms are accelerated? FWIW, NSS has the concept of
> a set of mechanisms for which a PKCS#11 module is the default
> provider. You can see this in modutil. Does something like that make
> sense for this configuration file.

Those are related. The latter option allows for more fine-tuning. Do you
suggest something like:
acceleration=PKCS11_METHOD?

>>> /etc/pkcs11/pkcs11.defaults /etc/pkcs11/pkcs11.conf
>> Why two in /etc/pkcs11? Wouldn't a single pkcs11.conf do?
> The concept was that one would be installed, and the other would be 
> configurable by a sysadmin.

I see it might help in some cases, but I don't think its worth the
complication. A simple .conf file should be enough for both embedded
and desktop systems. Systems that want defaults can always generate
the .conf from their defaults and a separate configurable file.

> But actually I goofed up ... I think we may need more than two now
> that we're describing which modules to load. I think that each
> provider should be able to install a config file into the /etc/pkcs11
> directory. All the files in there should be read alphabetically in
> turn, with groups merging with other groups of the same name in other
> files.

Something like that is an overkill in embedded systems, as it would
require a special library to handle all this configuration. I think that
a configuration like that should be simple.

> Of course there's the big question of whether PKCS#11 modules should
> be user configurable or not. It's easy to argue that an application
> wishing to install a PKCS#11 module for the whole desktop should need
> to prompt the user for elevated privileges.

I assume they are user-configurable as long ~/.pkcs11.conf is used. What
is the issue here?

> How does that sound? It may be slightly more complex, but on the
> other hand if we don't allow multiple files here, then each distro
> interested in packaging pkcs11 modules properly will have to invent
> their own configuration system, which then somehow they merge into a
> single configuration.

But they already do for several other packages. I find a simple config
best, since it can be used both in desktop and embedded systems.

> On the other hand, the simplicity of having a special directory
> where you place (or link) modules that should be loaded is very
> appealing.

There always be the problem of wanting to have a library conditionally
(i.e. a debug library), and removing and copying is more work than
changing a config file. And since a config file is available anyway
(for other reasons)... then it's best to use it for that purpose as
well.

regards,
Nikos

Follow-Ups:
- Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
  - From: Stef Walter

References:
- Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
  - From: Stef Walter
- Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
  - From: Nikos Mavrogiannopoulos
- Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
  - From: Stef Walter
- Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
  - From: Nikos Mavrogiannopoulos
- Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
  - From: Stef Walter

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]