Douglas E. Engert
deengert at anl.gov
Wed Dec 13 18:32:37 EST 2006
More on the Solaris /usr/lib/libpkcs11.so ...
Nicolas Williams wrote:
> On Wed, Dec 13, 2006 at 03:50:02PM -0600, Douglas E. Engert wrote:
>>>If the OS ships with a PKCS#11 implementation, then use that as the
>>>default. (Solaris 10+, for example, has /usr/lib/libpkcs11.so.)
> Wow... what? It's been there for a while...
>> But this is not a smartcard interface as best as I can tell,
>>it is a crypto provider for interal use only. If it can use a smartcard,
>>please correct me if I am wrong!
> Oh no, it's a smartcard interface too. There are multiple providers.
Great, Which providers?
> And it's an open plug-in interface: you can add third party providers,
> and the PKCS#11 API is the SPI. The only catch is that you have to ask
> Sun to sign your providers' shared objects (the framework won't load
> providers that aren't signed), but it's easy enough to get these
How do I get an OpenSC version signed? How about a UMich Kx509/libkpkcs11
version signed. This sounds like the hastle Micrsoft has with signing
> The softtoken provider uses "soft" tokens for storing keys (i.e., an
> encrypted file in ~/.sunw/pkcs11_softtoken/private).
The UMich kxlist can write a kx509 cert and key, what would it take
to get in in this format?
Some PKINIT questions then. If it used your PKCS11, With multiple
providers, say a CAC pkcs11 and a PIV pkcs11, what would PKINIT see
with regards to slots?
I will have to try the OpenSC pkcs11-tool --module /usr/lib/libpkcs11.so
after I build it tonight.
> The kernel provider supports HW tokens.
>>>But how many smartcards should I have to carry around with me?
>>How many credit card do you carry?
> I have several; I carry one that I use for everything, and a backup one.
> Not a perfect analogy, but I see your point.
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev