[gnutls-dev] RFC: PKCS#11 plans

Ludovic Courtès ludovic.courtes at laas.fr
Mon Apr 23 15:50:22 CEST 2007


Simon Josefsson <simon at josefsson.org> writes:

> That seem to use the scdaemon protocol, but that protocol isn't
> sufficient for what GnuTLS needs -- for example, I can't read
> certificates from the smartcard via that protocol for OpenPGP cards.
> GnuTLS needs the certificates.

In this context, shouldn't we question the assumption that GnuTLS
absolutely needs access to private keys?  It seems that many smartcards
don't offer this option for security reasons: instead they only allow,
for instance, encryption/decryption of arbitrary data, as well as
extraction of the public key (certificate).

See the thread at:


(In addition, the opinion of Werner Koch in the second message is that
GnuTLS could directly talk to `gnupg-agent' instead of having its own
infrastructure.  Wouldn't that make sense?)


More information about the Gnutls-devel mailing list