From e3f828f40ddf160243dc0b106966d02eaa0f92b8 Mon Sep 17 00:00:00 2001
From: Petr Bokoc <pbokoc@redhat.com>
Date: Nov 27 2018 20:39:27 +0000
Subject: 184 - NSS loads p11-kit modules by default


---

diff --git a/modules/release-notes/pages/sysadmin/Security.adoc b/modules/release-notes/pages/sysadmin/Security.adoc
index dcabdc5..35031b1 100644
--- a/modules/release-notes/pages/sysadmin/Security.adoc
+++ b/modules/release-notes/pages/sysadmin/Security.adoc
@@ -3,3 +3,11 @@ include::{partialsdir}/entities.adoc[]
 
 [[sect-security]]
 = Security
+
+== NSS loads p11-kit modules by default
+
+Fedora provides a mechanism to configure PKCS#11 modules system wide, allowing crypto libraries (GnuTLS and OpenSSL) to use PKCS#11 modules in a consistent manner.
+Until now, NSS applications haven't benefited from it as NSS uses a different configuration mechanism which requires users to register PKCS#11 modules in NSS databases.
+Fedora 29 makes this manual procedure unnecessary by registering the `p11-kit-proxy` module (system PKCS#11 module aggregator) in NSS databases with the default configuration.
+This allows NSS applciations to use PKCS#11 modules the same as other crypto libraries, enabling consistency in PKCS#11 driver registration across the system.
+Consequently, users will see improvements in smart card and hardware security module (HSM) use in Fedora.