request for comments: PKCS #11

Stef Walter stef-list at
Thu Jun 10 05:49:51 CEST 2010

On 2010-06-09 06:47, Nikos Mavrogiannopoulos wrote:
> Hello,
>  I sent this to you because you have previously expressed your
> interest on PKCS #11 support in gnutls or you have already implement
> it (in that case I have taken ideas already from you), or I'd be
> interested in your comments.  I have added PKCS #11 support in gnutls
> and I would like your comments and ideas. 

This is awesome progress. I'm excited because I'm going to be giving a
talk at GUADEC conference (in the Netherlands) about uniting GNOME's
(and in the future the Linux Desktop's) crypto storage around PKCS#11.

One question though, are you importing private keys from the PKCS#11
token, or using the crypto operations. Forgive me if I've overlooked
something but in this example looked like the keys were being imported:;a=blob;f=doc/cha-cert-auth.texi;h=68999e1d80efc47ba12a490510a708b7cc0fee88;hb=HEAD#l532

The basic functionality
> supported is reading public and private keys (as well as
> certificates), using private keys for operations and storing private
> keys and certificates to tokens (smart cards etc). To reference any
> objects I used PKCS #11 URLs as specified in

Interesting spec. I hadn't seen it before.

Day Dreaming: It's too bad there isn't a way to have a unique URL per
PKCS#11 object. However, this spec is still better than nothing and I
can see how it would be useful for loading objects.

One thing that I'm interested in is the use of a pkcs11 config file
system. I was thinking of a scaled down PAM style concept, where one can
configure in a standard way which pkcs11 modules to load. In other
words, which host processes should load which modules. I noticed you
have a config file specific to gnutls there. Do you know of any work
being done on something more global?

Anyway, all that to say, I love seeing progress in this area, and would
like to stay in touch.



More information about the Gnutls-devel mailing list