< Changes
(Created page with "<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> = R...") |
(minor tweaks) |
||
| Line 5: | Line 5: | ||
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. --> | <!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. --> | ||
There are more PKCS#11 libraries supporting the same smart cards in the system. For the next releases, we would like to promote OpenSC as a default PKCS#11 provided | There are more PKCS#11 libraries supporting the same smart cards in the system. For the next releases, we would like to promote OpenSC as a default PKCS#11 provided to the place where Coolkey driver is used these days, which will extend a list of supported smart cards and make use of the most of the OpenSC. | ||
== Owner == | == Owner == | ||
* Name: [[User:jjelen| Jakub Jelen]] | * Name: [[User:jjelen| Jakub Jelen]] | ||
* Email: jjelen@redhat.com | * Email: jjelen@redhat.com | ||
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> --> | * Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> --> | ||
| Line 30: | Line 29: | ||
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | <!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | ||
Currently, there are several PKCS#11 modules available in Fedora. Some of them provide the same functionality as the others. Currently, the majority of the work around smart cards is done in the OpenSC project supporting all the major cards. On the other side, there is no significant development efforts in Coolkey project, which is currently used by default in some applications. | Currently, there are several PKCS#11 modules available in Fedora. Some of them provide the same functionality as the others. Currently, the majority of the work around smart cards is done in the OpenSC project supporting all the major cards we are interested to have in Fedora. On the other side, there is no significant development efforts in Coolkey project, which is currently used by default in some applications (NSS). | ||
The provided libraries are PKCS#11 libraries, so existing applications should not depend directly on either package. The transition should be smooth as the change of the path in the configurations if any. The only exceptions are NSS (Coolkey installs its module to the NSS database), | The provided libraries are PKCS#11 libraries, so existing applications should not depend directly on either package. The transition should be smooth as the change of the path in the configurations, if any. The only exceptions are NSS (Coolkey installs its module to the NSS database), [https://admin.fedoraproject.org/pkgdb/package/esc ESC] and [https://admin.fedoraproject.org/pkgdb/package/rpms/pesign/ pesign] (explicit requires should be [https://bugzilla.redhat.com/show_bug.cgi?id=1349073 removed]). | ||
$ dnf repoquery --whatrequires coolkey | $ dnf repoquery --whatrequires coolkey | ||
| Line 40: | Line 39: | ||
We would like to | We would like to | ||
* Get rid of explicit requires (pesign, esc) | * Get rid of explicit requires (pesign, esc) | ||
* Switch the applications | * Switch the default PKCS#11 module in applications from Coolkey to OpenSC (NSS, ESC, pesign, ...?) | ||
* Retire the Coolkey package from Fedora (estimated in Fedora 27) | * Retire the Coolkey package from Fedora (estimated in Fedora 27) | ||
During last months we worked with NSS to implement and test missing features in OpenSC to follow CoolKey driver and specification behavior. | |||
== Benefit to Fedora == | == Benefit to Fedora == | ||
| Line 48: | Line 49: | ||
Having multiple PKCS#11 provider libraries can be confusing for users especially when used over proxy, such as p11-kit. In this case the tokens could show up multiple times. | Having multiple PKCS#11 provider libraries can be confusing for users especially when used over proxy, such as p11-kit. In this case the tokens could show up multiple times. | ||
There is no significant development going on in Coolkey anymore, unlike with OpenSC, which has very active upstream. | There is no significant development going on in Coolkey anymore, unlike with OpenSC, which has very active upstream, both delivering new drivers for new cards frequently and fixing problems promptly. | ||
== Scope == | == Scope == | ||
| Line 54: | Line 55: | ||
For Fedora 26, we want to switch all applications to OpenSC and leave Coolkey as a backup. We will unregister coolkey from NSS database and register OpenSC instead. | For Fedora 26, we want to switch all applications to OpenSC and leave Coolkey as a backup. We will unregister coolkey from NSS database and register OpenSC instead. | ||
For Fedora 27, we would like to retire coolkey package. | For Fedora 27, we would like to retire coolkey package, if there will not show up any problem with the transition in previous phase. | ||
== Upgrade/compatibility impact == | == Upgrade/compatibility impact == | ||
Previously installed Fedora will have Coolkey registered in NSS database (if installed). The upgrade path needs to ensure that the coolkey will be removed from database and OpenSC installed instead (explicit requires Coolkey -> OpenSC?). All the cards supported by Coolkey should be supported by OpenSC by now. | Previously installed Fedora will have Coolkey registered in NSS database (if installed). The upgrade path needs to ensure that the coolkey will be removed from database and OpenSC installed instead (explicit requires Coolkey -> OpenSC?). | ||
All the cards supported by Coolkey should be supported by OpenSC by now ([https://github.com/OpenSC/OpenSC/pull/841 CAC patch pending]). | |||
== How To Test == | == How To Test == | ||
| Line 72: | Line 75: | ||
== Dependencies == | == Dependencies == | ||
The dependency on Coolkeey package should be dropped or changed to OpenSC. | |||
<!-- What other packages (RPMs) depend on this package? Are there changes outside the developers' control on which completion of this change depends? In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate? Other upstream projects like the kernel (if this is not a kernel change)? --> | <!-- What other packages (RPMs) depend on this package? Are there changes outside the developers' control on which completion of this change depends? In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate? Other upstream projects like the kernel (if this is not a kernel change)? --> | ||
Revision as of 12:29, 10 January 2017
Replace Coolkey with OpenSC
Summary
There are more PKCS#11 libraries supporting the same smart cards in the system. For the next releases, we would like to promote OpenSC as a default PKCS#11 provided to the place where Coolkey driver is used these days, which will extend a list of supported smart cards and make use of the most of the OpenSC.
Owner
- Name: Jakub Jelen
- Email: jjelen@redhat.com
- Release notes owner:
Current status
- Targeted release: Fedora 26
- Last updated: 2017-01-10
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
Currently, there are several PKCS#11 modules available in Fedora. Some of them provide the same functionality as the others. Currently, the majority of the work around smart cards is done in the OpenSC project supporting all the major cards we are interested to have in Fedora. On the other side, there is no significant development efforts in Coolkey project, which is currently used by default in some applications (NSS).
The provided libraries are PKCS#11 libraries, so existing applications should not depend directly on either package. The transition should be smooth as the change of the path in the configurations, if any. The only exceptions are NSS (Coolkey installs its module to the NSS database), ESC and pesign (explicit requires should be removed).
$ dnf repoquery --whatrequires coolkey esc-0:1.1.0-30.fc25.x86_64 pesign-0:0.112-4.fc25.x86_64
We would like to
- Get rid of explicit requires (pesign, esc)
- Switch the default PKCS#11 module in applications from Coolkey to OpenSC (NSS, ESC, pesign, ...?)
- Retire the Coolkey package from Fedora (estimated in Fedora 27)
During last months we worked with NSS to implement and test missing features in OpenSC to follow CoolKey driver and specification behavior.
Benefit to Fedora
Having multiple PKCS#11 provider libraries can be confusing for users especially when used over proxy, such as p11-kit. In this case the tokens could show up multiple times.
There is no significant development going on in Coolkey anymore, unlike with OpenSC, which has very active upstream, both delivering new drivers for new cards frequently and fixing problems promptly.
Scope
- Proposal owners:
For Fedora 26, we want to switch all applications to OpenSC and leave Coolkey as a backup. We will unregister coolkey from NSS database and register OpenSC instead.
For Fedora 27, we would like to retire coolkey package, if there will not show up any problem with the transition in previous phase.
Upgrade/compatibility impact
Previously installed Fedora will have Coolkey registered in NSS database (if installed). The upgrade path needs to ensure that the coolkey will be removed from database and OpenSC installed instead (explicit requires Coolkey -> OpenSC?).
All the cards supported by Coolkey should be supported by OpenSC by now (CAC patch pending).
How To Test
- Make sure you have installed the packages below:
opensc,coolkeyandnss
- The command
modutil -list -dbdir /etc/pki/nssdbshould listCoolKey PKCS #11 Module - Any of your application using Smart Cards/PKCS#11 should work with
/usr/lib64/pkcs11/opensc-pkcs11.soPKCS#11 module instead of/usr/lib64/pkcs11/libcoolkeypk11.so
User Experience
N/A (not a System Wide Change)
Dependencies
The dependency on Coolkeey package should be dropped or changed to OpenSC.
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
- Blocks product? product
Documentation
N/A (not a System Wide Change)