= Proposed System Wide Change: NSS load p11-kit modules by default = https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules Owner(s): * Daiki Ueno <dueno at redhat dot com> When NSS database is created, PKCS#11 modules configured in the system's p11-kit will be automatically registered and visible to NSS applications. == Detailed description == Fedora provides a mechanism to configure PKCS#11 modules system wide, allowing the crypto libraries (GnuTLS and OpenSSL) to use PKCS#11 modules in a consistent manner. Until now NSS applications haven't benefit from it as NSS uses a different configuration mechanism which requires users to register PKCS#11 modules in NSS databases. This change makes the manual procedure unnecessary, by registering the p11-kit-proxy module (the aggregator of the system PKCS#11 modules) in NSS databases with the default configuration. See also: * https://bugzilla.redhat.com/show_bug.cgi?id=1173577 == Scope == * Proposal owners: ** Enable p11-kit-proxy in the newly created NSS database, through the crypto-policies package. ** Modify the opensc package not to register itself to the NSS database upon installation. * Other developers: ** Make sure that this change doesn't cause any regression with the existing applications. * Release engineering: [https://pagure.io/releng/issue/7548 #7548] ** List of deliverables: N/A * Policies and guidelines: PackageMaintainers/PKCS11 needs changes basically to eliminate NSS specific stuff * Trademark approval: N/A (not needed for this Change) -- Jan Kuřík JBoss EAP Program Manager Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic