On Tue, 2016-06-21 at 09:39 +0200, Nikos Mavrogiannopoulos wrote: > On Mon, 2016-06-20 at 15:07 +0100, David Woodhouse wrote: > > On Mon, 2016-06-20 at 15:50 +0200, Lubomir Rintel wrote: > > > > > > > > > Another problem is that the p11-kit-remote tool needs a module > > > name; > > > but the VPN daemon only knows the PKCS#11 URI. Would it make sense > > > to > > > extend the tool to do the resolution as well? [3] > > > > > > [3] https://github.com/NetworkManager/p11-kit/commit/254ae1a6.patch > > No. It should be using p11-kit-proxy.so (or loading the full set of > > modules as indicated by the p11-kit config). > > Why is that? Why not resolve the URL provided and remote only the > required module?
I thought we were generally trying to move away from explicitly loading specific modules. If the correct set of modules is expected to be loaded *automatically* by p11-kit config, then it shouldn't really be *necessary* to provide it. I'm not quite sure how the above patch works, anyway. If I have a PKCS#11 URI of 'pkcs11:manufacturer=piv_II;id=%01' and it doesn't have access to the card reader. Or if I have a URI of an object in my personal gnome-keyring token... how does it get resolved to a module name? -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ p11-glue mailing list p11-glue@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/p11-glue
