On Tue, May 12, 2015 at 8:40 AM, David Woodhouse <dw...@infradead.org> wrote: > On Mon, 2015-05-11 at 11:21 -0700, Ryan Sleevi wrote: >> It's not simply sufficient to load module X into Chrome or not. p11-kit's >> security model is *broken* for applications like Chrome, at least with >> respect to how you propose to implement. > > I've proposed at least four different options and asked for opinions > on which might be better and how to refine them; let's not get too > hung up on "how I propose to implement".
How about an even simpler solution? Don't have p11-kit load the PKCS#11 modules, just provide a list of paths and let the application pass those to NSS. That way the application can choose to transparently load modules without user interaction, offer a UI option for "load system modules", or provide a pick list of module to load. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto