On Fri, 2015-05-08 at 15:23 +0200, Wouter Verhelst wrote: > On 08-05-15 15:09, David Woodhouse wrote: > > On Fri, 2015-05-08 at 14:58 +0200, Wouter Verhelst wrote: > > > In light of that, it would be great if firefox/libnss were to > > > allow > > > configuration of PKCS#11 modules externally -- not just on Linux, > > > but on OSX and Windows too. > > > > Well, p11-kit does build on OSX and Windows too but it doesn't have > > the same status there. On Linux distributions it *is* the > > platform's > > mechanism of choice for configuring PKCS#11 tokens. NSS needs to > > support it if it wants to integrate with the platform properly. > > > > On OSX and Windows, p11-kit is just some third-party software. > > Which would mean that if this gets to be "the way to do it", we > don't fix the problem on those platforms -- instead, we just move it > from "install an individual PKCS#11 module" to "install p11-kit".
Right. On platforms where p11-kit doesn't *already* exist, using it doesn't help you. It only *adds* work for the end-user. I suspect the best answer for Windows and OSX is to make NSS integrate properly by automatically loading nss_capi and its OSX equivalent, if/when those modules are production-ready. Perhaps it's something to bear in mind when adding the code to load p11-kit-proxy.so; that on other platform it might be some *other* module that gets loaded. FWIW on Linux your installer/package needs to be shipping a module file like the one in /usr/share/p11-kit/modules/opensc.module (or isn't the eID card supported by OpenSC anyway, so do people need a third-party provider?) -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto