On Wed, 8 Oct 2008, Glenn Barry wrote: > > This came-up in the pkinit discussions yesterday: > > Does a pkcs11 module outside the crypto framework (that is, not > installed via cryptoadm) need to be signed in order to be used (legally) > by an OpenSolaris app (kinit(1) for example)?
Hi Glenn - If it is going to be used as part of the cryptographic framework, then yes, it needs to be signed. If you'd like to use it directly, instead of using the cryptographic framework, then no, it would not need to be signed. But, most things in opensolaris link directly to libpkcs11 when built, which then attaches to the cryptographic framework. Some things, like browsers, though, can be configured by the user. Valerie -- Valerie Fenwick, http://blogs.sun.com/bubbva Solaris Security Technologies, Developer, Sun Microsystems, Inc. 17 Network Circle, Menlo Park, CA, 94025.
