request for comments: PKCS #11
Stef Walter
stef-list at memberwebs.com
Thu Jun 10 05:49:51 CEST 2010
On 2010-06-09 06:47, Nikos Mavrogiannopoulos wrote:
> Hello,
> I sent this to you because you have previously expressed your
> interest on PKCS #11 support in gnutls or you have already implement
> it (in that case I have taken ideas already from you), or I'd be
> interested in your comments. I have added PKCS #11 support in gnutls
> and I would like your comments and ideas.
This is awesome progress. I'm excited because I'm going to be giving a
talk at GUADEC conference (in the Netherlands) about uniting GNOME's
(and in the future the Linux Desktop's) crypto storage around PKCS#11.
http://www.guadec.org/index.php/guadec/2010/paper/view/15
One question though, are you importing private keys from the PKCS#11
token, or using the crypto operations. Forgive me if I've overlooked
something but in this example looked like the keys were being imported:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=blob;f=doc/cha-cert-auth.texi;h=68999e1d80efc47ba12a490510a708b7cc0fee88;hb=HEAD#l532
The basic functionality
> supported is reading public and private keys (as well as
> certificates), using private keys for operations and storing private
> keys and certificates to tokens (smart cards etc). To reference any
> objects I used PKCS #11 URLs as specified in
> http://tools.ietf.org/html/draft-pechanec-pkcs11uri-01.
Interesting spec. I hadn't seen it before.
Day Dreaming: It's too bad there isn't a way to have a unique URL per
PKCS#11 object. However, this spec is still better than nothing and I
can see how it would be useful for loading objects.
One thing that I'm interested in is the use of a pkcs11 config file
system. I was thinking of a scaled down PAM style concept, where one can
configure in a standard way which pkcs11 modules to load. In other
words, which host processes should load which modules. I noticed you
have a config file specific to gnutls there. Do you know of any work
being done on something more global?
Anyway, all that to say, I love seeing progress in this area, and would
like to stay in touch.
Cheers,
Stef
More information about the Gnutls-devel
mailing list