Re: gnome-keyring p11-unity [was: Re: Multiple libraries using PKCS#11 modules and CKR_ALREADY_INITIALIZED]
- From: Joe Orton <jorton redhat com>
- To: Stef Walter <stefw collabora co uk>
- Cc: gnome-keyring-list gnome org, Nikos Mavrogiannopoulos <nmav gnutls org>
- Subject: Re: gnome-keyring p11-unity [was: Re: Multiple libraries using PKCS#11 modules and CKR_ALREADY_INITIALIZED]
- Date: Sat, 22 Jan 2011 16:06:50 +0000
On Fri, Jan 21, 2011 at 04:10:50PM -0600, Stef Walter wrote:
> So to summarize by using something like p11-unity we would get:
>
> * Solve the refcount initialization problem when multiple PKCS#11
> consumers in a process want to use the same PKCS#11 module.
> * Drop in usage with current PKCS#11 consumers, like NSS.
> * Single implementation of PKCS#11 system configuration.
> * Can expose more powerful library functions for accessing details
> about a module's config (eg: algorithm selection)
That looks like a good solution to that problem set; I think you'd have
to also address the forking problem as Nikos has patched into pakchois
(sorry I still need to merge those, Nikos).
I worry that a daemon would be needed in addition:
a) to serialize access to (hardware) resources sensibly. In my testing
PKCS#11 modules tend to fail rather than block when you attempt to use
the hardware concurrently from different processes, and there are also
issues w.r.t. long-lived sessions. There was a thread on moz-crypto
just recently about Firefox & PKCS#11 locking, perhaps related:
http://thread.gmane.org/gmane.comp.mozilla.crypto/15784
b) since PKCS#11 modules are pretty crappy and like to spam stderr which
is blooming annoying for use via console apps
But I haven't investigated this stuff thoroughly or even recently,
probably these problems can be solved separately if that proves
necessary, and I should stop heckling you from the peanut gallery ;)
Regards, Joe
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
