PKCS#11 support for gpg-agent

Alon Bar-Lev alon.barlev at gmail.com
Fri Sep 2 18:42:51 CEST 2005


Hello,

> You are wrong in this regard: PGP is widely
> adpopted (and what is your definition of
> "the world"?). And it makes perfectly sense
> to have both worlds.

I won't argue with that...
But the trend is not in favor of PGP.

> OpenPGP offers a completely different trust
> model which suits the needs of some users
> very well (you can establish a web of trust
> with anyone without overhead) while S/MIME
> (or better: X.509) uses a centralized, CA-
> based model. For some applications I would
> never trust a commercial certification
> authority, so in X.509 you have to operate
> your own CA...

You are wrong!
You can use self-signed certificates in a trust model similar 
to PGP.

> Both S/MIME and OpenPG are standards (S/MIME
> v.1 was more or less proprietary stuff),
> you might have a look at the according IETF
> working groups (http://www.ietf.org/).

True... I know... But S/MIME standard is the one which is 
implemented in every mail client program... not PGP...

> 
> Well, you might have a look at KMail, which
> uses all the GPG 1.9 stuff. I was impressed
> by having a key manager, a smart card daemon
> and the easy interface of gpg-agent. This
> framework does far more than any PKCS11-
> implementation: For exampel it is able to
> handle revocation lists and OCSP-queries.
> This enables applications to use S/MIME without
> re-inventing the wheel.

You don't understand what PKCS#11 is!!!!
Maybe that is the reason for all of these arguments...

PKCS#11 is an API needed to access cryptographic token. 
PKCS#11 is NOT OCSP or PKI or X.509. It just specify how 
application should access a cryptographic token that can 
perform hashing, symmetric and asymmetric key operation, key 
handling etc...
A typical application need to use PKCS#11 __ONLY__ for the 
following purposes:
1. Perform operation with private key located on token.
2. Fetch X.509v3 Digital Certificates from the token (User 
identities).

> So please be fair: Both S/MIME and PGP have
> their advantages and disadvantages. And GPG
> seems to be on the way to be able to handle
> both. This sounds like a good idea to me.

I am sorry, but I don't agree.
I don't find any advantage to keep OpenPGP formats. There is 
PKCS#7 for signed/enveloped data and S/MIME that uses PKCS#7 
for email.
Using self-signed certificates and PKCS#7 and S/MIME you get a 
full replacement for PGP... It will take several years, but 
eventually it will happen.
Even pgp corp (www.pgp.com) understood that its future is in 
S/MIME and PKI, so they adjusting their product toward it.

My initial request was to consider supporting PKCS#11 standard 
in order to access keys that are located cryptographic tokens, 
in stead of using a proprietary card format... This should be 
done regardless of our small debate regarding S/MIME and PGP.

I hope you read more regarding PKCS#11 
www.rsasecurity.com/rsalabs/pkcs/pkcs-11/index.html and 
understand its role in cryptographic application and that gpg 
can benefit from it.

Best Regards,
Alon Bar-Lev.



More information about the Gnupg-users mailing list