Every time I do "dnf update", there pops up "openssl-pkcs11" as a weak dependency, which tries to be pulled in by some other package. I always exclude the package from the transaction, because it does not look important, but I actually have no idea if it or it is not important. I would love to see the description improved to elaborate on this. E.g. in my specific case, I am using Lenovo t470s. Is this package useful for me or not? Should I install it or can I avoid it permanently?
openssl-pkcs11 installs an OpenSSL engine which allows accessing cryptographic modules (smartcards, HSMs) through PKCS#11 API. The current description is: "openssl-pkcs11 is an implementation of an engine for OpenSSL. It can be loaded using code, config file or command line and will pass any function call by OpenSSL to a PKCS#11 module. openssl-pkcs11 is meant to be used with smart cards and software for using smart cards in PKCS#11 format, such as OpenSC." Can you please point what is not clear? If you are not using PKCS#11 devices, like smartcards, probably you don't need it.
When I see this package in my update list, I always have questions like: * Do I need this package on my laptop? * Will my system blow up if I don't have it installed? * What it actually does? * Why is it going to be installed on my system? * What is PKCS#11. Maybe if there was something like your last sentence, i.e. "If you are not using PKCS#11 devices, like smartcards, probably you don't need it." it would help. But again, there is the PKCS#11 mentioned again. I was encouraged by Nikos to ask for improvement of the description during his Flock talk, so maybe he could have some idea already.
I was thinking based on Vit's question on the flock talk that we probably don't have a good description on the spec file, i.e., a description which is understandable even by someone who is not already in the pkcs11 gang. Let's use this bug to discuss what we could improve. What we have now is: "openssl-pkcs11 is an implementation of an engine for OpenSSL. It can be loaded using code, config file or command line and will pass any function call by OpenSSL to a PKCS#11 module. openssl-pkcs11 is meant to be used with smart cards and software for using smart cards in PKCS#11 format, such as OpenSC." In case my understanding was correct, let me take a quick try: "openssl-pkcs11 enables hardware security module (HSM), and smart card support in openssl applications. More precisely, it is an openssl engine that is meant to make available all registered pkcs11 drivers for HSMs or smart cards to openssl applications" does it look any better? something that can be improved, replaced?
(In reply to Nikos Mavrogiannopoulos from comment #3) > "openssl-pkcs11 enables hardware security module (HSM), and smart card > support in openssl applications. More precisely, it is an openssl engine > that is meant to make available all registered pkcs11 drivers for HSMs or > smart cards to openssl applications" This sounds much better. But I would love to see there something about it being optional and configurable, so what if it was extended by: ~~~ Based on HW configuration, the engine can be optionally loaded using a code, config file or command line. ~~~
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'.
Makes sense to me. Anderson what do you think?
(In reply to Nikos Mavrogiannopoulos from comment #6) > Makes sense to me. Anderson what do you think? Sorry for taking so long to get back to this discussion. I understand that the description is not clear for people not familiar with some terms, but I believe some wording are useful for the people in the crypto area to quickly understand what is the purpose of the package. Some may look a lot of random letters (like "PKCS#11"), but someone familiar with it would instantly understand what it means. In the same line, I believe the words "HSM", "smart card", "OpenSSL", "engine", "module", and "API" have a specific meaning for people who could be interested in using the package. This being said, I suggest the following description: "openssl-pkcs11 enables hardware security module (HSM), and smart card support in OpenSSL applications. More precisely, it is an OpenSSL engine which makes registered PKCS#11 modules available for OpenSSL applications. The engine is optional and can be loaded by configuration file, command line or through the OpenSSL ENGINE API." What do you think? Is this more clear than the original description? What could be improved?
(In reply to Anderson Sasaki from comment #7) That is a much better description than the original one. Thank you!
openssl-pkcs11-0.4.8-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6e46af6a08
openssl-pkcs11-0.4.8-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6e46af6a08
openssl-pkcs11-0.4.8-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.