[gnutls-dev] RFC: PKCS#11 plans

Ludovic Courtès ludovic.courtes at laas.fr
Mon Apr 23 15:50:22 CEST 2007


Hi,

Simon Josefsson <simon at josefsson.org> writes:

> That seem to use the scdaemon protocol, but that protocol isn't
> sufficient for what GnuTLS needs -- for example, I can't read
> certificates from the smartcard via that protocol for OpenPGP cards.
> GnuTLS needs the certificates.

In this context, shouldn't we question the assumption that GnuTLS
absolutely needs access to private keys?  It seems that many smartcards
don't offer this option for security reasons: instead they only allow,
for instance, encryption/decryption of arbitrary data, as well as
extraction of the public key (certificate).

See the thread at:

  http://article.gmane.org/gmane.comp.gnu.gnupg.users/10411
  http://article.gmane.org/gmane.comp.gnu.gnupg.users/10429

(In addition, the opinion of Werner Koch in the second message is that
GnuTLS could directly talk to `gnupg-agent' instead of having its own
infrastructure.  Wouldn't that make sense?)

Thanks,
Ludovic.




More information about the Gnutls-dev mailing list