PKCS#11 support for gpg-agent

Olaf Gellert og at
Fri Sep 2 16:54:08 CEST 2005

Alon Bar-Lev wrote:

> When PGP was invented there WAS NO standard to send and receive signed
> and encrypted messages, so PGP have implemented a proprietary method.
> Then, PGP tried to propose it as a standard... OpenPGP... But they have
> failed... It was not widely adopted...
> S/MIME was the standard adopted by the world, and PGP and gpg had to
> catch up.
> I thing one should learn from history and not invent any new standard,
> especially when such already exists, implemented and adopted.

You are wrong in this regard: PGP is widely
adpopted (and what is your definition of
"the world"?). And it makes perfectly sense
to have both worlds.

OpenPGP offers a completely different trust
model which suits the needs of some users
very well (you can establish a web of trust
with anyone without overhead) while S/MIME
(or better: X.509) uses a centralized, CA-
based model. For some applications I would
never trust a commercial certification
authority, so in X.509 you have to operate
your own CA...

Both S/MIME and OpenPG are standards (S/MIME
v.1 was more or less proprietary stuff),
you might have a look at the according IETF
working groups (

>>>> I don't meant to write another agent.  Write a pkcs#11 driver which
>>>> uses gpg-agent as its token.
>>> This is the WRONG WRONG WRONG approach!!!!!!!
>> Why? The _only_ purpose of gpg-agent is to ask you for a password and to
>> keep that password in memory. You could use gpg-agent for _any_
>> application that requires a password.
> No... the purpose of gpg-agent is to allow gpg to access private
> (secret) keys that are located in different physical location such as
> smartcards...
> From my point of view this is THE MAJOR feature of gpg-agent...

Well, you might have a look at KMail, which
uses all the GPG 1.9 stuff. I was impressed
by having a key manager, a smart card daemon
and the easy interface of gpg-agent. This
framework does far more than any PKCS11-
implementation: For exampel it is able to
handle revocation lists and OCSP-queries.
This enables applications to use S/MIME without
re-inventing the wheel.

So please be fair: Both S/MIME and PGP have
their advantages and disadvantages. And GPG
seems to be on the way to be able to handle
both. This sounds like a good idea to me.

Cheers, Olaf

Dipl.Inform. Olaf Gellert                  PRESECURE (R)
Senior Researcher,                       Consulting GmbH
Phone: (+49) 0700 / PRESECURE           og at

                        A daily view on Internet Attacks

More information about the Gnupg-users mailing list