[gnutls-dev] GnuTLS PKCS#11 Engine

Alon Bar-Lev alon.barlev at gmail.com
Mon May 14 16:25:20 CEST 2007

On 5/14/07, Simon Josefsson <simon at josefsson.org> wrote:
> The license is on the source code, and by using the OpenSSL API I
> believe the FSF would consider pkcs11-helper to be a derived work from
> OpenSSL, and thus GPL-incompatible.  This would have to be confirmed
> with the FSF, though.

No... since the OpenSSL is not used in the solution with GnuTLS, it is
not derived work.

> > I don't understand...
> > The simple scute implementation is irrelevant for 99.999% of users.
> That may be true, but as far as I can tell, the simple scute
> implementation doesn't harm anything else, so I don't see a problem with
> it.

OK... Whatever...
1. How user can chose which API to select?
2. You need to sync the API.
3. Working PKCS#11 with only one provider is irrelevant... This is not
why PKCS#11 was introduced.

> Yes, that is the point.  Applications that wants to support external
> signing will have to do something extra.  That can link to your
> gnutls-pkcs11 library, or my scute gnutls-pkcs11 library (there appears
> to be a naming conflict here though), or something else, or even
> implement everything by itself.  It is even possible to do all at at the
> same time, if properly multiplexed by the application.  The nice
> property is that the core GnuTLS library doesn't need to know about
> this.

I don't understand your desire to push a library which is not exactly
doing anything.
Also calling yours gnutls-pkcs11 is misleading, since you really gnutls-scute...


More information about the Gnutls-devel mailing list