openpgp -> pkcs #11
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Jan 5 16:20:53 CET 2014
On 01/05/2014 01:33 PM, Werner Koch wrote:
> On Sat, 4 Jan 2014 17:26, nmav at gnutls.org said:
>
>> I think it would be nice to have suggestions to accommodate the needs of
>> the openpgp card to the PKCS #11 committee.
> We already have a way to provide the card as PKCS#11 token for those who
> want that.
If you are referring to the openpgp card opensc driver, it is really far
from being usable. I have reported the issues I had using the FSFE card
at:
http://sourceforge.net/mailarchive/forum.php?thread_name=1387821918.1143.18.camel%40aspire.lan&forum_name=opensc-devel
> In general I consider PKCS#11 too complicate due to a design
> targeted to proprietary applications.
Indeed it is, but it is not much more than other security-related
standards (see X.509 and PKIX). Nevertheless, a card or a module needs
not to support the whole standard, it simply needs to implement the few
operations it supports. PKCS #11's design can support proprietary
applications as well as free software.
> It is bad enough that we usually don't have free software cards, but in
> most cases we do not even have complete card specs and instead vendors
> resort to hide them in their proprietary drivers. That should be a
> no-no after the summer of snowden.
Most of the smart cards today are supported by the opensc drivers and
the PKCS #11 driver which is LGPLv2.1. In fact PKCS #11 today is used
mainly by free software (NSS is fully using PKCS #11, gnutls uses it for
asymmetric keys, p11-kit provides a PKCS #11 trust module, and
gnome-keyring, openssh, ...). It would be very good to have an open card
such as the openpgp card to integrate seamlessly in all that software.
regards,
Nikos
More information about the Gnupg-devel
mailing list