request for comments: PKCS #11
Nikos Mavrogiannopoulos
nmav at gnutls.org
Thu Jun 10 10:27:13 CEST 2010
On Thu, Jun 10, 2010 at 5:49 AM, Stef Walter <stef-list at memberwebs.com> wrote:
>> Hello,
>> I sent this to you because you have previously expressed your
>> interest on PKCS #11 support in gnutls or you have already implement
>> it (in that case I have taken ideas already from you), or I'd be
>> interested in your comments. I have added PKCS #11 support in gnutls
>> and I would like your comments and ideas.
>
> This is awesome progress. I'm excited because I'm going to be giving a
> talk at GUADEC conference (in the Netherlands) about uniting GNOME's
> (and in the future the Linux Desktop's) crypto storage around PKCS#11.
> http://www.guadec.org/index.php/guadec/2010/paper/view/15
That's cool. I believe on the same thing. PKCS #11 can be used as glue
to connect all the now separated pieces. The advantage of it is that
one can have a central storage that all libraries can access, thus
allowing the existing diversity and offering usability at the same
time.
> One question though, are you importing private keys from the PKCS#11
> token, or using the crypto operations. Forgive me if I've overlooked
> something but in this example looked like the keys were being imported:
> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=blob;f=doc/cha-cert-auth.texi;h=68999e1d80efc47ba12a490510a708b7cc0fee88;hb=HEAD#l532
The system call for privkeys is called "import" but it actually
associates the URL object with the pkcs11 structure. It does not try
to import it.
> Day Dreaming: It's too bad there isn't a way to have a unique URL per
> PKCS#11 object. However, this spec is still better than nothing and I
> can see how it would be useful for loading objects.
I believe this is possible if all the components of the URL are specified.
> One thing that I'm interested in is the use of a pkcs11 config file
> system. I was thinking of a scaled down PAM style concept, where one can
> configure in a standard way which pkcs11 modules to load. In other
> words, which host processes should load which modules. I noticed you
> have a config file specific to gnutls there. Do you know of any work
> being done on something more global?
No I'm not aware of something like that, but I would also be
interested in anything related.
regards,
Nikos
More information about the Gnutls-devel
mailing list