PKCS#11 support for gpg-agent

Patrick Brunschwig patrick at mozilla-enigmail.org
Fri Sep 2 16:06:35 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alon Bar-Lev wrote:
> Werner Koch wrote:
[...]
>>> you have a problem only with PKCS#11...
>>>   
>>
>>
>> Because it is such an ugly "standard"  [the quotes are on purpose].
>>  
>>
> I am sorry to read that... I think it is a good standard... Just like
> any RSA Security
> PKCS#* standard... at least it is a standard that most programmers agree
> on...
> I don't understand why you guys did not rewritten the PKCS#7, PKCS#1,
> PKCS#8, PKCS#9
> standards... And maybe to stay with PGP standard and not migrating to
> S/MIME...
> The whole new work of gpg 1.9 was to migrate to S/MIME... Why!?!?!?!
> You could have been very happy in your close PGP format world.
> Even if the standards are ugly, they at least work!

I think this is a misunderstanding. gpg 1.9 is not about _migration_ to
S/MIME, it's about _adding_ S/MIME to gpg. There is no reason why gpg
2.0 would not support OpenPGP. What is true, though, is that so far, gpg
1.9 was only about adding S/MIME to gpg. But AFAIK it is the goal to
merge gpg 1.4 with gpg 1.9.


>>> When user buys it's email signature/encryption certificate he expects
>>> to be
>>> able to use it in
>>> all smartcard enable applications... PKCS#11 provides this ability,
>>> and is
>>>   
>>
>>
>> Yes he expects this and will soon see that it was just an expectation.
>>  
>>
> I am afraid you are totally wrong here... I hope you will wake up
> some-day...
> I am responsible of replacing software/suggest correct software for
> using smartcards.
> Currently gpg is on my black list... And because of this I tried to talk
> with  you first to make
> you understand what you do wrong...
> It seems that I've failed!
> You don't understand or don't want to understand what the user expects,
> so you fail to
> provide it.
> 
>>> Yes, I know that I can write my own agent... But I still think it
>>> will be a
>>> mistake.
>>>   
>>
>> I don't meant to write another agent.  Write a pkcs#11 driver which
>> uses gpg-agent as its token.
>>  
>>
> This is the WRONG WRONG WRONG approach!!!!!!!

Why? The _only_ purpose of gpg-agent is to ask you for a password and to
keep that password in memory. You could use gpg-agent for _any_
application that requires a password.

- -Patrick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDGFxq2KgHx8zsInsRAnLtAKCjMa79eIC7lrpJJvr+ZMl8Xt+AqQCeI9Ur
0bVPspo5/6JELGR1fEP6MgI=
=kNSw
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list