[gnutls-dev] RFC: PKCS#11 plans

Ludovic Courtès ludovic.courtes at laas.fr
Tue Apr 24 14:27:30 CEST 2007

Hi Simon,

Simon Josefsson <simon at josefsson.org> writes:

> ludovic.courtes at laas.fr (Ludovic Courtès) writes:

>> In this context, shouldn't we question the assumption that GnuTLS
>> absolutely needs access to private keys?  It seems that many smartcards
>> don't offer this option for security reasons: instead they only allow,
>> for instance, encryption/decryption of arbitrary data, as well as
>> extraction of the public key (certificate).
> Yes!  There are plans for GNOME Seahorse to provide a PKCS#11
> interface for the private keys/certificates stored in the gnome
> keyring.  This was what prompted my work on PKCS#11 support in GnuTLS.

Ok, I had misunderstood the rationale.

> One could also write a really simple PKCS#11 plugin that uses on-disk
> private key/certificates.  This could be written using the GnuTLS
> X.509 APIs.
> In any case, the primary goal of my PKCS#11 work is to avoid the need
> for GnuTLS to have access to private keys.  It just needs to read
> certificates from somewhere, and have an interface to signing
> operations.  Whether that is PKCS#11 or some IPC protocol to some
> external gnutls-daemon-like process is an open question.

Alright, got it.

> Yeah, but it turned out that gpg-agent cannot support this, since it
> is not possible to get user certificates from it.

You mean OpenPGP public key certificates, right?

If so, can't we tweak the GnuPG people into changing `gnupg-agent' to
support this?  :-)

As Alon said, it seems that there would be great value into sharing such
mechanisms among several projects.  Since GnuTLS and GnuPG are
"siblings" within the GNU Project, it'd make sense to try and find
solutions suitable to both.


More information about the Gnutls-devel mailing list