support for non-openpgp cards

Peter Gutmann pgut001 at
Fri Nov 19 09:32:20 CET 2004

Simon Josefsson <jas at> writes:

>IMHO, you should not care about broken implementations.  There is a well-
>defined PKCS#11 specification, even including header files. Write code for
>the specification.  If something doesn't work because someone isn't
>implementing the specification, that's their problem.

That would rule out about 99% of all PKCS #11 implementations in existence.
The problem is twofold, firstly the spec is very flexible (since it covers a
large number of crypto devices ranging from little tinkertoy smart cards up to
high-end crypto coprocessors) so there's a lot of room for interpretation,
secondly since the major driving force for PKCS #11 for many years was
Netscape, many vendors implemented whatever Netscape needed, which includes
Netscape bugs.  So you can't create an implementation "for the specification"
both because there are many ways to interpret it and because historically
drivers have done things other than the way the spec said they should.


More information about the Gnupg-devel mailing list