Bug#537866: [esteid-dev] not as good as directly registering security modules, but...

Kalev Lember kalev at smartlink.ee
Tue Oct 19 15:29:21 UTC 2010


On 10/16/2010 08:34 PM, Martin-Éric Racine wrote:
> There is a Mozilla plugin (mozilla-esteid) that was packaged to
> support Estonian ID cards whose sole purpose is to load the
> onepin-opensc-pkcs11.so module :
>
> https://launchpad.net/~esteid/+archive/ppa

The extension does a few other things, but onepin-opensc-pkcs11.so
module loading is one of its most important tasks.


> Since most national ID cards use the same OpenSC module for basic
> login purposes using PIN1, shouldn't it be possible to turn this
> into a more generic Mozilla plugin that loads the above OpenSC module
> and

I believe both esteid and beid Mozilla extensions have similar opensc
security module loading js code; it wouldn't be too hard to factor out
the code and create a new Mozilla extension with the sole purpose of
loading opensc security module.

However, if we are going to create a separate extension like that, I
think it should live in upstream opensc repository. It's really their
turf and we shouldn't be stepping on their toes if they think it's the
wrong way to solve the problem. Can you take it up with opensc guys?


> whose package Recommends any extra country-specific support package
> necessary for e.g. digital signing using PIN2 as e.g.
> browser-plugin-esteid-digidoc | browser-plugin-beid-digisign |
> browser-plugin-fineid-mpollux-digisign etc.?

I think the deps should be the other way around: esteid and beid
extensions should depend (or suggest) the opensc loader extension. I
wouldn't really want to end up with another country's extension
installed when I'm installing opensc loader extension for the very first
time.


> This of course doesn't solve Mozilla's lack of a security module
> register, but it would already go a long way towards making national
> ID card support in Mozilla products a lot more generic.

I am not really interested in pushing for a new package which solves the
problem in the wrong way. However, having said that, I wouldn't mind
having a generic opensc mozilla extension either if someone else does
the legwork.

In my personal opinion the "right" way to solve that is to have opensc
package register its PKCS#11 module in the NSS database. It should
already be possible to do it like that in Fedora, but I am not sure
about Debian.

-- 
Kalev





More information about the pkg-mozilla-maintainers mailing list