openpgp -> pkcs #11

Nikos Mavrogiannopoulos nmav at
Sun Jan 5 16:20:53 CET 2014

On 01/05/2014 01:33 PM, Werner Koch wrote:
> On Sat,  4 Jan 2014 17:26, nmav at said:
>> I think it would be nice to have suggestions to accommodate the needs of
>> the openpgp card to the PKCS #11 committee.
> We already have a way to provide the card as PKCS#11 token for those who
> want that.  

If you are referring to the openpgp card opensc driver, it is really far
from being usable. I have reported the issues I had using the FSFE card

> In general I consider PKCS#11 too complicate due to a design
> targeted to proprietary applications.

Indeed it is, but it is not much more than other security-related
standards (see X.509 and PKIX). Nevertheless, a card or a module needs
not to support the whole standard, it simply needs to implement the few
operations it supports. PKCS #11's design can support proprietary
applications as well as free software.

> It is bad enough that we usually don't have free software cards, but in
> most cases we do not even have complete card specs and instead vendors
> resort to hide them in their proprietary drivers.  That should be a
> no-no after the summer of snowden.

Most of the smart cards today are supported by the opensc drivers and
the PKCS #11 driver which is LGPLv2.1. In fact PKCS #11 today is used
mainly by free software (NSS is fully using PKCS #11, gnutls uses it for
asymmetric keys, p11-kit provides a PKCS #11 trust module, and
gnome-keyring, openssh, ...). It would be very good to have an open card
such as the openpgp card to integrate seamlessly in all that software.


More information about the Gnupg-devel mailing list