2010/8/1 Stef <s...@memberwebs.com>: > On 07/29/2010 10:20 PM, Ludovic Rousseau wrote: >> 2010/7/20 Stef Walter <stef-l...@memberwebs.com>: >>> On 07/20/2010 10:16 AM, Martin Paljak wrote: >>>> So maybe the >>>> "PKCS#11 directory" [3] is the best solution I've seen this far. >>> >>> That's certainly a good start. >> >> The PKCS#11 tokend [1] (tokend above any PKCS#11) does use the >> "PKCS#11 directory" [3]. >> Having to configure a file is far from the "just work" approach used >> on Mac OS X. > > I see what you mean. But I had sort of imagined that packagers of pkcs11 > modules would place the appropriate configuration file in the right > place when the module is installed.
You can consider the library filename to _be_ the configuration file. For example the OpenSC PKCS#11 lib is installed in /usr/lib/opensc-pkcs11.so And a symbolic link is present in /usr/lib/pkcs11/ and points to the library >> So the probe() method of PKCS#11 tokend loads every >> library present in the "PKCS#11 directory" and tries to use it [2]. >> If every thing works up to C_GetTokenInfo() then the current PKCS#11 >> is selected. > > An interesting approach. Are there security consequences of this > auto-load approach? I guess if that directory is not writable by the > user, then I see no consequences above a configuration file. The /usr/lib/pkcs11/ directory should be considered as a configuration directory just like /etc. >> It is not perfect. A score mechanism may be better. But PKCS#11 has no >> way to report "I support this token very well" or "I have a limited >> support of this token". > > Yes true. In addition there's no way to disable use of algorithms on > specific PKCS#11 modules. For example NSS allows one to specify whether > to use a module with RSA and/or DSA when installing that module. If disabling an algorithm is global you could use the PKCS#11 lib configuration file. /etc/opensc.conf in the case of OpenSC. Why would you need this? Bye -- Dr. Ludovic Rousseau _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
