request for comments: PKCS #11

Nikos Mavrogiannopoulos nmav at
Thu Jun 10 10:27:13 CEST 2010

On Thu, Jun 10, 2010 at 5:49 AM, Stef Walter <stef-list at> wrote:
>> Hello,
>>  I sent this to you because you have previously expressed your
>> interest on PKCS #11 support in gnutls or you have already implement
>> it (in that case I have taken ideas already from you), or I'd be
>> interested in your comments.  I have added PKCS #11 support in gnutls
>> and I would like your comments and ideas.
> This is awesome progress. I'm excited because I'm going to be giving a
> talk at GUADEC conference (in the Netherlands) about uniting GNOME's
> (and in the future the Linux Desktop's) crypto storage around PKCS#11.

That's cool. I believe on the same thing. PKCS #11 can be used as glue
to connect all the now separated pieces. The advantage of it is that
one can have a central storage that all libraries can access, thus
allowing the existing diversity and offering usability at the same

> One question though, are you importing private keys from the PKCS#11
> token, or using the crypto operations. Forgive me if I've overlooked
> something but in this example looked like the keys were being imported:

The system call for privkeys is called "import" but it actually
associates the URL object with the pkcs11 structure. It does not try
to import it.

> Day Dreaming: It's too bad there isn't a way to have a unique URL per
> PKCS#11 object. However, this spec is still better than nothing and I
> can see how it would be useful for loading objects.

I believe this is possible if all the components of the URL are specified.

> One thing that I'm interested in is the use of a pkcs11 config file
> system. I was thinking of a scaled down PAM style concept, where one can
> configure in a standard way which pkcs11 modules to load. In other
> words, which host processes should load which modules. I noticed you
> have a config file specific to gnutls there. Do you know of any work
> being done on something more global?

No I'm not aware of something like that, but I would also be
interested in anything related.


More information about the Gnutls-devel mailing list