On 11-05-15 20:21, Ryan Sleevi wrote:
On Mon, May 11, 2015 4:09 am, David Woodhouse wrote:
I completely agree that Chrome should only ever load the modules which
are configured to be loaded into Chrome. I'm surprised you feel the
need to mention that.
Because you still don't understand,
On Tue, 2015-05-12 at 10:17 -0700, Ryan Sleevi wrote:
On Tue, May 12, 2015 9:44 am, Peter Bowen wrote:
How about an even simpler solution? Don't have p11-kit load the
PKCS#11 modules, just provide a list of paths and let the application
pass those to NSS. That way the application can
On Tue, May 12, 2015 at 8:40 AM, David Woodhouse dw...@infradead.org wrote:
On Mon, 2015-05-11 at 11:21 -0700, Ryan Sleevi wrote:
It's not simply sufficient to load module X into Chrome or not. p11-kit's
security model is *broken* for applications like Chrome, at least with
respect to how you
On Tue, May 12, 2015 9:44 am, Peter Bowen wrote:
How about an even simpler solution? Don't have p11-kit load the
PKCS#11 modules, just provide a list of paths and let the application
pass those to NSS. That way the application can choose to
transparently load modules without user
On Mon, 2015-05-11 at 11:24 -1000, Brian Smith wrote:
Said differently, there is nothing special about Linux. Just as Firefox
intentionally doesn't use Windows's central certificate trust database on
Windows, and just as it doesn't use Mac OS X's central certificate trust
database on Mac OS
On Mon, 2015-05-11 at 11:21 -0700, Ryan Sleevi wrote:
It's not simply sufficient to load module X into Chrome or not. p11-kit's
security model is *broken* for applications like Chrome, at least with
respect to how you propose to implement.
I've proposed at least four different options and
On Sun, 2015-05-10 at 12:47 -0700, Ryan Sleevi wrote:
- Don't load a module unless the user has explicitly asked or configured
that module to be loaded.
- Do not patch NSS to load modules outside of the explicitly requested
modules.
Quite right; that's absolutely how we should behave.
As
David Woodhouse dw...@infradead.org wrote:
The sysadmin should be able to configure things for *all* users
according to the desired policy, rather than forcing each user to set
things up for themselves.
And in turn the *developers* of the operating system distribution
should be able to set
On Mon, May 11, 2015 4:09 am, David Woodhouse wrote:
I completely agree that Chrome should only ever load the modules which
are configured to be loaded into Chrome. I'm surprised you feel the
need to mention that.
Because you still don't understand, despite how many ways I'm trying to
say
On Sun, May 10, 2015 12:57 pm, David Woodhouse wrote:
On Sun, 2015-05-10 at 12:47 -0700, Ryan Sleevi wrote:
If the user requests NSS to load a module. It should load that module.
And that module only. Period.
The canonical per-user way to request an application to load a module is
On Sat, May 9, 2015 3:30 pm, David Woodhouse wrote:
On Fri, 2015-05-08 at 15:07 -0700, Ryan Sleevi wrote:
Yes, it should. You'll introduce your users to a host of security issues
if you ignore them (especially for situations like Chrome). For example,
if you did what you propose to do,
On Sat, May 9, 2015 3:30 pm, David Woodhouse wrote:
No, you should be able to do it w/o patching NSS.
OK... how?
If the Shared System Database wasn't such an utter failure, not even
being used by Firefox itself, then just installing it there would have
been a nice idea. But *nothing*
On Sun, 2015-05-10 at 12:07 -0700, Ryan Sleevi wrote:
On Sat, May 9, 2015 3:30 pm, David Woodhouse wrote:
On Fri, 2015-05-08 at 15:07 -0700, Ryan Sleevi wrote:
Yes, it should. You'll introduce your users to a host of security issues
if you ignore them (especially for situations like
On Sun, May 10, 2015 12:31 pm, David Woodhouse wrote:
You don't need to expose it to the sandbox to use PKCS#11 in the web
browser. That's not how modern sandboxed browsers work.
That sounds like a bit of a failure of the sandboxing to me. Just so I
understand what you're saying...
On Sun, 2015-05-10 at 12:11 -0700, Ryan Sleevi wrote:
On Sat, May 9, 2015 3:30 pm, David Woodhouse wrote:
No, you should be able to do it w/o patching NSS.
OK... how?
If the Shared System Database wasn't such an utter failure, not even
being used by Firefox itself, then just
On Sun, 2015-05-10 at 12:47 -0700, Ryan Sleevi wrote:
If the user requests NSS to load a module. It should load that module.
And that module only. Period.
The canonical per-user way to request an application to load a module is
for me to create a file in ~/.config/pkcs11/modules/*.module which
On Fri, 2015-05-08 at 15:00 -0700, Ryan Sleevi wrote:
On Fri, May 8, 2015 6:09 am, David Woodhouse wrote:
On Linux distributions it *is* the platform's
mechanism of choice for configuring PKCS#11 tokens. NSS needs to
support it if it wants to integrate with the platform properly.
I'm
On Fri, 2015-05-08 at 15:07 -0700, Ryan Sleevi wrote:
On Fri, May 8, 2015 5:38 am, David Woodhouse wrote:
These days it does. Modern systems ship with p11-kit², which exists
precisely to fill that gap and provide a standard discoverable
configuration for installed PKCS#11 modules.
On 08-05-15 15:09, David Woodhouse wrote:
On Fri, 2015-05-08 at 14:58 +0200, Wouter Verhelst wrote:
In light of that, it would be great if firefox/libnss were to allow
configuration of PKCS#11 modules externally -- not just on Linux,
but on OSX and Windows too.
Well, p11-kit does build on OSX
On 08-05-15 15:46, David Woodhouse wrote:
FWIW on Linux your installer/package needs to be shipping a module
file like the one in /usr/share/p11-kit/modules/opensc.module
Well, since p11-kit is not found on the older distributions that we
still support, and non-functional on some newer
On Fri, 2015-05-08 at 15:23 +0200, Wouter Verhelst wrote:
On 08-05-15 15:09, David Woodhouse wrote:
On Fri, 2015-05-08 at 14:58 +0200, Wouter Verhelst wrote:
In light of that, it would be great if firefox/libnss were to
allow
configuration of PKCS#11 modules externally -- not just on
On 08-05-15 14:38, David Woodhouse wrote:
Bug 248722¹ has been open since 2004 requesting a system-wide
configuration for PKCS#11 modules. At the time, such a thing didn't
exist.
These days it does. Modern systems ship with p11-kit², which exists
precisely to fill that gap and provide a
On Fri, 2015-05-08 at 14:58 +0200, Wouter Verhelst wrote:
In light of that, it would be great if firefox/libnss were to allow
configuration of PKCS#11 modules externally -- not just on Linux,
but on OSX and Windows too.
Well, p11-kit does build on OSX and Windows too but it doesn't have
the
On Fri, May 8, 2015 5:38 am, David Woodhouse wrote:
These days it does. Modern systems ship with p11-kit², which exists
precisely to fill that gap and provide a standard discoverable
configuration for installed PKCS#11 modules.
Your citation ( http://p11-glue.freedesktop.org/p11-kit.html )
On Fri, May 8, 2015 6:09 am, David Woodhouse wrote:
On Linux distributions it *is* the platform's
mechanism of choice for configuring PKCS#11 tokens. NSS needs to
support it if it wants to integrate with the platform properly.
I'm sorry to continually push back on this, but you continue to
Bug 248722¹ has been open since 2004 requesting a system-wide
configuration for PKCS#11 modules. At the time, such a thing didn't
exist.
These days it does. Modern systems ship with p11-kit², which exists
precisely to fill that gap and provide a standard discoverable
configuration for installed
26 matches
Mail list logo