Menu
▾
▴
Re: [Opensc-devel] Adding libp11 (or its equivalent) to OpenSSL
|
From: David W. <dw...@in...> - 2016-02-26 21:42:33
|
On Fri, 2016-02-26 at 16:20 +0100, Michal Trojnara wrote: > > I'm not sure what you mean by "depending on p11-kit". I agree p11-kit > simplifies configuration on some popular desktop platforms. My point > is OpenSSL is not exclusively used on desktop platforms. Shall we > really require p11-kit? Wouldn't it limit the portability of OpenSSL? > Shall we also merge p11-kit into OpenSSL? It would limit the portability of the platforms on which you can build OpenSSL with this hypothetical PKCS#11 support, sure. It would largely limit it to the set of platforms on which you'd really *want* to. :) With p11-kit we get proper integration into the system's configuration for which PKCS#11 modules should be loaded into which processes — again, a SHOULD in Fedora packaging guidelines, and a good idea elsewhere regardless. And we get also get proper support for accessing modules from multiple callers within the same process. But those *could* be solved just by using p11-kit-proxy.so as the default provider. That just leaves full PKCS#11 URI support, which I suppose we *could* reimplement... -- dwmw2 |
