[gnutls-dev] RFC: PKCS#11 plans

Simon Josefsson simon at josefsson.org
Wed Apr 25 11:38:26 CEST 2007


Nate Nielsen <nielsen-list at memberwebs.com> writes:

> Simon Josefsson wrote:
>> Serializing PKCS#11 is not simple, and I don't know if anyone has done
>> this before.  Further, the serialization of PKCS#11 doesn't have to be
>> exactly mapped to the PKCS#11 API, it only have to support the same
>> things that PKCS#11 support.
>
> Yes, it's certainly not simple.
>
> gnome-keyring-cryptoki is serializing same of the PKCS#11 calls for
> communication with its daemon. It's similar to  how a smart card driver
> might send requests to its hardware component.
>
> I would recommend that any such serialization remain an internal API
> rather than trying to spec it out. As Alon is saying, implement PKCS#11
> as the 'spec' or supported API, and then a certain PKCS#11 driver could
> choose to serialize requests to a daemon (much as a smart card driver
> would internally serialize or process requests).

Right, and that's what I'm doing in my initial work.

However, I'm not yet convinced that GnuTLS should only support PKCS#11
directly, and no other crypto hardware abstraction layer such as CAPI or
GnuPG 2.x gpg-agent, possibly through a gnutls-daemon.  Still, adding
support for more abstractions can be done later on.  I guess that since
nobody else is working on this now, PKCS#11 will be all that I will
implement unless I run into serious problems with that choice.  The
choice can be revisited in the future.

For example, to support TLS OpenPGP with keys on smart cards, I don't
think I can use PKCS#11 via Scute.  It is X.509 only.  Or?

With the current approach of using PKCS#11 directly, there is the
problem of how to load the PKCS#11 module.  Right now, it is linked at
build-time.  Presumably, it would be nice to have it linked at run-time
via dlopen(), but that creates more problems for applications.  I think
they are already unhappy with how (relatively) complex it is to use
GnuTLS.  Having to deal with loading of PKCS#11 providers is probably
not what they are hoping for.

There is also the problem of having more code (the PKCS#11 provider) run
in the same process as GnuTLS.

Still, this approach is simpler for me to code. :)

/Simon



More information about the Gnutls-dev mailing list