Valerie Bubb Fenwick wrote: > On Wed, 8 Oct 2008, Glenn Barry wrote: > >> This came-up in the pkinit discussions yesterday: >> >> Does a pkcs11 module outside the crypto framework (that is, not >> installed via cryptoadm) need to be signed in order to be used (legally) >> by an OpenSolaris app (kinit(1) for example)? > > Hi Glenn - > > If it is going to be used as part of the cryptographic framework, > then yes, it needs to be signed. If you'd like to use it directly, > instead of using the cryptographic framework, then no, it would > not need to be signed. But, most things in opensolaris link directly > to libpkcs11 when built, which then attaches to the cryptographic > framework. Some things, like browsers, though, can be configured by > the user.
The reason it doesn't need to be signed is because it isn't creating "crypto with a hole" (aka OCI: Open Cryptographic Interface) if the application is opening up the module rather than the framework. libpkcs11 is an OCI because both the consumer and provider interface is documented and unrestricted in what crypto algorithms it can provide. We already have in.iked able to be pointed to a specific PKCS#11 module, it uses libpkcs11 by default now though. -- Darren J Moffat
