Anthony Scarpino wrote: > Garrett D'Amore wrote: >> Darren J Moffat wrote: > [...] >>> Given the way that hardware acceleration is going (ie becoming a CPU >>> chip feature) I can't see us actually doing anything much about this >>> in the future either. >> >> Ah, but it has ramifications for keystore devices, such as USB >> dongles, smart cards, and such. I think making this dynamic might be >> very useful with future uses of PKCS#11. > > That would be C_WaitForSlotEvent. That's where a provider, which was > registered during C_Initialize, comes with a smartcard reader. That > providers performs an event when a card is inserted or removed. > > For C_GetSlotList, it's looking more at providers like PCI cards that > get dynamically reconfigured on or off the system. I don't believe USB > sticks or dongles were being consider in such a fashion.. Not to say it > couldn't be, just not the intent..
It is actually a combination of both of them that is needed to be fully dynamic. I asked for the expanding C_GetSlotList() to cover both the DR in of PCI cards and for hot plug of USB attached readers/dongles. C_WaitForSlotEvent is useful when the reader already exists but there is no card in it. C_GetSlotList() expansion is useful for when the reader and token are combined in a single USB attached dongle - getting more common now. The problem with the C_GetSlotList() expansion is that there isn't really much guidance (if any) of when to call it so it is left to the application to do it at a suitable time. For IKE a suitable time would probably be someone runs 'ikeadm token' commands. For now though it isn't actually going to make any difference since libpkcs11 doesn't respond to this, pkcs11_softtoken only has one slot anyway and pkcs11_kernel doesn't yet respond to it yet either. The changes aren't big they just haven't been done - the testing of it is probably going to take much more time than the development! Once we get a PKCS#11 interface to PC/SC for smartcard this becomes much more interesting to implement until then we lack interesting providers that can do much with this given the rarity of SCA-6000 cards and similar that exist never mind that are likely to be DR'd in and out. -- Darren J Moffat
