package deprecated?

[Germano0]

Hello, Fedora open-eid package co-maintainer here. I am about to include web-eid-app into Fedora repository. I tested web-eid on a clean environment and I noticed that firefox-pkcs11-loader is not needed to properly work. I signed documents online and accessed websites that need Estonia ID card as requirement. Therefore with this ticket I would like to ask for confirmation that firefox-pkcs11-loader is deprecated and no longer needed Best regards

[martinpaljak]

Websites that rely on TLS based authentication (vs web-eid) will still need the PKCS#11 module loaded (and I'd guess the pkcs11-loader module still does the automagic trick). But things might have changed and someone will correct me.

[Germano0]

Can you provide an URL of website that relies on TLS based authentication, so I can run a test?

[martinpaljak]

Such sites exist in plenty. The point here is that web-eid-app and the firefox pkcs11 module loader are not connected (one does not need the other to function) but the websites out there depend on either one. IMHO the main question is if this (firefox pkcs11 loader) package should be pulled in as a dependency by open-eid metapackage.

[Germano0]

IMHO the main question is if this (firefox pkcs11 loader) package should be pulled in as a dependency by open-eid metapackage.

It is currently a dependency. I opened this ticket to decide if needs to be removed in the future

[metsma]

There are still plenty sites that use TLS-CCA authentication. Firefox-pkcs11-loader is deprecated because OpenSC provides similar functionality. I am not sure if Fedora OpenSC provides this, it needs to be verified.

[martinpaljak]

@metsma you refer to p11-kit module registration and proxy module automatic configuration or there's now a similar extensions in OpenSC?

[metsma]

@martinpaljak no, there is pkcs11-register tool and it is called xdg autostart to register pkcs11 module to nss database. https://github.com/OpenSC/OpenSC/blob/master/src/tools/pkcs11-register.c

[martinpaljak]

@metsma oh, did not know this. Sounds like a better approach, indeed!

[metsma]

I don't see xdg autostart is enabled in fedora package. https://packages.fedoraproject.org/pkgs/opensc/opensc/fedora-rawhide.html Ubuntu package has (/etc/xdg/autostart/pkcs11-register.desktop) https://packages.ubuntu.com/noble/amd64/opensc/filelist

[Germano0]

I asked Fedora OpenSC package maintainers here https://bugzilla.redhat.com/show_bug.cgi?id=2299181

[Germano0]

A Fedora OpenSC package maintainer wrote :

OpenSC is automatically registered to any NSS database in Fedora through p11-kit proxy for several releases. This is done as part of crypto policies, which might not be obvious/straightforward, but it should work: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/blob/master/python/policygenerators/nss.py?ref_type=heads#L14

[martinpaljak]

@Jakuje is also OpenSC upstream maintainer, so all should be good, you should be able to drop this dependency.

[Germano0]

Thank you. I would like to have @metsma's confirmation too

[metsma]

I do not have any knowledge how the p11-kit works and if it is installed plain fedora. Maybe you need add some dependency to open-eid metapackage

[Jakuje]

p11-kit is installed by default on Fedora as it handles the central CA Certificates key store among other things.