gnutls-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: request for comments: PKCS #11

From: Nikos Mavrogiannopoulos
Subject: Re: request for comments: PKCS #11
Date: Thu, 10 Jun 2010 10:27:13 +0200 
On Thu, Jun 10, 2010 at 5:49 AM, Stef Walter <address@hidden> wrote:
>> Hello,
>>  I sent this to you because you have previously expressed your
>> interest on PKCS #11 support in gnutls or you have already implement
>> it (in that case I have taken ideas already from you), or I'd be
>> interested in your comments.  I have added PKCS #11 support in gnutls
>> and I would like your comments and ideas.
>
> This is awesome progress. I'm excited because I'm going to be giving a
> talk at GUADEC conference (in the Netherlands) about uniting GNOME's
> (and in the future the Linux Desktop's) crypto storage around PKCS#11.
> http://www.guadec.org/index.php/guadec/2010/paper/view/15

That's cool. I believe on the same thing. PKCS #11 can be used as glue
to connect all the now separated pieces. The advantage of it is that
one can have a central storage that all libraries can access, thus
allowing the existing diversity and offering usability at the same
time.

> One question though, are you importing private keys from the PKCS#11
> token, or using the crypto operations. Forgive me if I've overlooked
> something but in this example looked like the keys were being imported:
> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=blob;f=doc/cha-cert-auth.texi;h=68999e1d80efc47ba12a490510a708b7cc0fee88;hb=HEAD#l532

The system call for privkeys is called "import" but it actually
associates the URL object with the pkcs11 structure. It does not try
to import it.

> Day Dreaming: It's too bad there isn't a way to have a unique URL per
> PKCS#11 object. However, this spec is still better than nothing and I
> can see how it would be useful for loading objects.

I believe this is possible if all the components of the URL are specified.

> One thing that I'm interested in is the use of a pkcs11 config file
> system. I was thinking of a scaled down PAM style concept, where one can
> configure in a standard way which pkcs11 modules to load. In other
> words, which host processes should load which modules. I noticed you
> have a config file specific to gnutls there. Do you know of any work
> being done on something more global?

No I'm not aware of something like that, but I would also be
interested in anything related.


regards,
Nikos
reply via email to
[Prev in Thread] Current Thread [Next in Thread]