PKCS#11 in GnuPG (yes, again!)

Robert J. Hansen rjh at
Fri Jul 15 23:15:54 CEST 2011

> As many of you are well-aware, PKCS#11 is the de-facto standard for
> with cryptographic keys.

Having worked with PKCS11 a fair bit in a past life and a prior employer,
I would say it is one standard of many.  PC/SC is also in a good bit of
demand.  Further, most of the cryptographic tokens I've worked with have
actually had their own proprietary APIs, with PKCS11 and/or PC/SC
interfaces wrapped on top of them.  Some interfaces have been very good:
others have been a never-ending river of tears.

(Cheap rhetoric implying that anyone who disagrees is a zealot and/or
insane omitted.  Moving on...)

> I'll tell you the problem: antiquated ideas.  The reason why PKCS#11 is
> supported is because of the ideology of one person, Mr. Werner Koch.

His name is Werner Koch, not Steve Jobs.  :)

(In other words, "Werner doesn't have anywhere *near* the influence on the
technology scene that you seem to think.")

> If the OpenPGP card (a glorious, wonderful piece of kit) is ever going
> make it out of almost-complete obscurity, PKCS#11 must be implemented in
> GnuPG-stable. ... Let us make real progress in the adoption of GnuPG and

> OpenPGP smart card cryptography by adopting the worldwide standard of
> PKCS#11.

I would recommend reading Shirley Gaw's paper, "Secrecy, Flagging and
Paranoia: Adoption Criteria in Encrypted Email"
(  That paper seems to be
the definitive treatise on why OpenPGP adoption (including smartcards) has
lagged so much.

Everybody has their own pet theory on why adoption is lagging.  Few of
these theories have ever been put to any kind of empirical test.  Why
should your theory be believed, when there are so many competing ones?  Why
should your theory be believed, when you haven't even addressed the issues
raised in Gaw's paper?

More information about the Gnupg-devel mailing list