PGP and Smartcards?

Zeljko Vrba zvrba at
Mon Jul 25 16:45:25 CEST 2005

Werner Koch wrote:
> On Fri, 22 Jul 2005 23:42:39 +0200, Felix E Klee said:
>>isn't that interesting, though.  The point is that AFAICS PKCS#11
>>clearly defines an API, and perhaps it may become an ISO standard in the
> No it does not define a clean API.  Almost everyone is using
> proprietary extensions and I don't consider that a standard.  It is a
The standard allows for proprietary extensions. However, I have seen
several implementations and all of them can do what GPG needs w/o using
any extensions.

> If we would try to support all pcks#11 supported tokes we need to add
> a lot of extra code to gpg to cope with minor pecularities of the
> tokens.
Unfortunately :( Although the PKCS#11 defines an interface, every vendor
has its own interpretation of it because it is, well, complex and vague
at some points.

Still, my opinion is that PKCS#11 has more-or-less succeeded where
ISO7816 has failed: to unify the interface for accessing any kind of
cryptographic token (it is not limited to smart-cards either). And I
think it is illusionary to think that smart-card vendors are *ever*
going to fully conform to the ISO spec.

In their world of business, it makes all vendors replacable. And since
most of the vendors already have an established market, it is not in
their interest to become replacable. Which makes me wonder.. maybe they
even interpret on purpose the vague PKCS#11 points differently from
their competitors.

> And well, complexity is the worsest enemy of security.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20050725/8b4f12f0/signature.pgp

More information about the Gnupg-users mailing list