On 2012-11-08 at 10:41 +0100, Nikos Mavrogiannopoulos wrote: > Well a system daemon may use a hardware security module (HSM) to speed > up, e.g., RSA and protect its keys, so it still makes sense there > (smart cards and HSMs are both accessed via the PKCS #11 API).
True. In this case, the use of the same binary as the daemon and the interrogator, so that it _could_ be called by users, combined with initialising TLS support at start-up, is the issue. > The approach seems correct to disable PKCS #11. I should also document > it if it is not already there. However, were the requests to disable > PKCS #11 due to the messages being printed by gnome-keyring, or > because of some other reason? Gnome support. In practice, most MTAs today will not be keeping keys in HSMs simply because they're too low value, without a means to verify host identity when connecting on MX. I hope that the DANE work and Tony Finch's draft for how to use that with mail/MX will change things. > If it is the former could the gnome-keyring module be more silent on > failures and print messages only if some debugging environment > variable is present? Ideally. However, mail server operators often keep up-to-date on the mail server software, so that they can react to security issues and get new features, while keeping the base OS unchanged. It will take years for the current gnome keyring modules to drop out of systems so that we can even consider switching the default. -Phil _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
