|Line 31:||Line 31:|
== Detailed Description ==
== Detailed Description ==
Fedora provides a mechanism to configure PKCS#11 modules system wide, allowing the crypto libraries (GnuTLS and OpenSSL) to use PKCS#11 modules in a consistent mannerNSS applications 't benefit from it as uses a different configuration mechanism which requires users to register PKCS#11 modules . This change makes the p11-kit-proxy module (the aggregator of the system PKCS#11 modules) by NSS provides a consistent user experience with other crypto libraries.
Revision as of 12:54, 2 June 2018
NSS load p11-kit modules by default
When NSS database is created, PKCS#11 modules configured in the system's p11-kit will be automatically registered and visible to NSS applications.
- Name: Daiki Ueno
- Email: firstname.lastname@example.org
- Release notes owner:
- Targeted release: Fedora 29
- Last updated: 2018-06-02
- Tracker bug: <will be assigned by the Wrangler>
Fedora provides a mechanism to configure PKCS#11 modules system wide, allowing the crypto libraries (GnuTLS and OpenSSL) to use PKCS#11 modules in a consistent manner. Until now NSS applications haven't benefit from it as NSS uses a different configuration mechanism which requires users to register PKCS#11 modules in NSS databases. This change makes the manual procedure unnecessary, by registering the p11-kit-proxy module (the aggregator of the system PKCS#11 modules) by default. That way, NSS provides a consistent user experience with other crypto libraries.
Benefit to Fedora
This change allows NSS applications to use PKCS#11 modules in the same way as other crypto libraries. That improves user experience of smartcards and HSMs on Fedora.
- Proposal owners:
- Modify the crypto-policies package to enable p11-kit-proxy in the newly created NSS database.
- Make sure that this change doesn't cause any regression with the existing applications.
- Other developers: N/A (not a System Wide Change)
- Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed)
- List of deliverables: N/A
- Policies and guidelines: PackageMaintainers/PKCS11 needs changes basically to eliminate NSS specific stuff
- Trademark approval: N/A (not needed for this Change)
If the user previously used a conflicting configuration, such as using p11-kit-proxy as a replacement of p11-kit-trust, it will stop working.
How To Test
- install a PKCS#11 module, say softhsm2
- create an NSS database
- list modules registered to the NSS database, and check that there is softhsm2
NSS application users are no longer required to register PKCS#11 module manually.
firefox, and possibly sssd's smartcard support
- Contingency mechanism: Revert the change in crypto-policies
- Contingency deadline: Beta freeze
- Blocks release? No
- Blocks product? No
None (the existing documentation needs to be changed to not mention the special case of NSS)
It should be sufficient to have a simple sentence mentioning this change.