PKCS#11 support for gpg-agent
Alon Bar-Lev
alon.barlev at gmail.com
Fri Sep 2 18:42:51 CEST 2005
Hello,
> You are wrong in this regard: PGP is widely
> adpopted (and what is your definition of
> "the world"?). And it makes perfectly sense
> to have both worlds.
I won't argue with that...
But the trend is not in favor of PGP.
> OpenPGP offers a completely different trust
> model which suits the needs of some users
> very well (you can establish a web of trust
> with anyone without overhead) while S/MIME
> (or better: X.509) uses a centralized, CA-
> based model. For some applications I would
> never trust a commercial certification
> authority, so in X.509 you have to operate
> your own CA...
You are wrong!
You can use self-signed certificates in a trust model similar
to PGP.
> Both S/MIME and OpenPG are standards (S/MIME
> v.1 was more or less proprietary stuff),
> you might have a look at the according IETF
> working groups (http://www.ietf.org/).
True... I know... But S/MIME standard is the one which is
implemented in every mail client program... not PGP...
>
> Well, you might have a look at KMail, which
> uses all the GPG 1.9 stuff. I was impressed
> by having a key manager, a smart card daemon
> and the easy interface of gpg-agent. This
> framework does far more than any PKCS11-
> implementation: For exampel it is able to
> handle revocation lists and OCSP-queries.
> This enables applications to use S/MIME without
> re-inventing the wheel.
You don't understand what PKCS#11 is!!!!
Maybe that is the reason for all of these arguments...
PKCS#11 is an API needed to access cryptographic token.
PKCS#11 is NOT OCSP or PKI or X.509. It just specify how
application should access a cryptographic token that can
perform hashing, symmetric and asymmetric key operation, key
handling etc...
A typical application need to use PKCS#11 __ONLY__ for the
following purposes:
1. Perform operation with private key located on token.
2. Fetch X.509v3 Digital Certificates from the token (User
identities).
> So please be fair: Both S/MIME and PGP have
> their advantages and disadvantages. And GPG
> seems to be on the way to be able to handle
> both. This sounds like a good idea to me.
I am sorry, but I don't agree.
I don't find any advantage to keep OpenPGP formats. There is
PKCS#7 for signed/enveloped data and S/MIME that uses PKCS#7
for email.
Using self-signed certificates and PKCS#7 and S/MIME you get a
full replacement for PGP... It will take several years, but
eventually it will happen.
Even pgp corp (www.pgp.com) understood that its future is in
S/MIME and PKI, so they adjusting their product toward it.
My initial request was to consider supporting PKCS#11 standard
in order to access keys that are located cryptographic tokens,
in stead of using a proprietary card format... This should be
done regardless of our small debate regarding S/MIME and PGP.
I hope you read more regarding PKCS#11
www.rsasecurity.com/rsalabs/pkcs/pkcs-11/index.html and
understand its role in cryptographic application and that gpg
can benefit from it.
Best Regards,
Alon Bar-Lev.
More information about the Gnupg-users
mailing list