OpenPGP Card

David Picon Alvarez eleuteri at myrealbox.com
Tue Sep 6 23:40:39 CEST 2005


Alon,
First, I might have written to you directly instead of to the list. If so
I'm sorry, I screwed up with my mail agent.

> There is no sense in turning Linux environment to be less
> attractive for free software development, since smart card are
> hardware based, they will never be free and as such every
> program that need to use hardware will have to use proprietary
> code.

This is really, really wrong. Just because a piece of hardware is
proprietary it needs not have proprietary drivers. There are plenty of free
drivers for hardware in the Linux kernel, for example, thanks to either
reverse engineering or to companies who make the hardware being smart (and
doing the write thing) and releasing the necessary specifications of the
hardware so that a free driver is possible. In addition, with ever-cheaper
FPGAs and so on, hardware and software might converge quite a lot (a lot of
hardware these days is more written (VHDL or VeriLog code) than designed).
But this is a bit OT. The fact is that, even though I mostly agree with you
that it is a hard fight to convince smart card manufacturers to provide ISO
compliance or specs for their cards and that using PKCS#11 would make GnuPG
more capable this does not matter, because the things you're able to express
with a licence are limited, and GPL is written as it is. So nothing there is
to be done.

>  From your position there are three options:

There are a few more.

> 1. Linux will not be able to use many hardware devices
> available in the market. So there will be less application for
> Linux, more application for  Windows.

This already happens today to an extent. Winmodems, winprinters. Fortunately
there are pervasive reverse engineering efforts together with pressure to
manufacturers to yield specs.

> 2. Vendors will develop NONE FREE software and sell it to
> people who insist to use these hardware devices and Linux. For
> example, I will write a PKCS#11 gpg-agent and sale it for
> enterprises... If they insist of using gpg... But I don't
> believe they will...

Again, this happens today. See proprietary nVidia drivers (which probably
violate the GPL).

> 3. Application in Linux environment will invent standards like
> the OpenPGP card, and be left out with some early adapters
> individuals.

4. Hardware manufacturing companies will follow standards about smart cards
like the cited ISO standard.

5. Hardware manufacturing companies will provide specifications that will
allow the creation of free drivers.

Options 4 and 5 are much preferable to option 0 (GnuPG implements PKCS#11
and people use non-free drivers) and not implementing PKCS#11 might put some
optimizing pressure in this direction.


Best,
--David.





More information about the Gnupg-users mailing list