PKCS#11 support for gpg-agent
og at pre-secure.de
Fri Sep 2 16:54:08 CEST 2005
Alon Bar-Lev wrote:
> When PGP was invented there WAS NO standard to send and receive signed
> and encrypted messages, so PGP have implemented a proprietary method.
> Then, PGP tried to propose it as a standard... OpenPGP... But they have
> failed... It was not widely adopted...
> S/MIME was the standard adopted by the world, and PGP and gpg had to
> catch up.
> I thing one should learn from history and not invent any new standard,
> especially when such already exists, implemented and adopted.
You are wrong in this regard: PGP is widely
adpopted (and what is your definition of
"the world"?). And it makes perfectly sense
to have both worlds.
OpenPGP offers a completely different trust
model which suits the needs of some users
very well (you can establish a web of trust
with anyone without overhead) while S/MIME
(or better: X.509) uses a centralized, CA-
based model. For some applications I would
never trust a commercial certification
authority, so in X.509 you have to operate
your own CA...
Both S/MIME and OpenPG are standards (S/MIME
v.1 was more or less proprietary stuff),
you might have a look at the according IETF
working groups (http://www.ietf.org/).
>>>> I don't meant to write another agent. Write a pkcs#11 driver which
>>>> uses gpg-agent as its token.
>>> This is the WRONG WRONG WRONG approach!!!!!!!
>> Why? The _only_ purpose of gpg-agent is to ask you for a password and to
>> keep that password in memory. You could use gpg-agent for _any_
>> application that requires a password.
> No... the purpose of gpg-agent is to allow gpg to access private
> (secret) keys that are located in different physical location such as
> From my point of view this is THE MAJOR feature of gpg-agent...
Well, you might have a look at KMail, which
uses all the GPG 1.9 stuff. I was impressed
by having a key manager, a smart card daemon
and the easy interface of gpg-agent. This
framework does far more than any PKCS11-
implementation: For exampel it is able to
handle revocation lists and OCSP-queries.
This enables applications to use S/MIME without
re-inventing the wheel.
So please be fair: Both S/MIME and PGP have
their advantages and disadvantages. And GPG
seems to be on the way to be able to handle
both. This sounds like a good idea to me.
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE og at pre-secure.de
A daily view on Internet Attacks
More information about the Gnupg-users