Hi Alon, > Here you are wrong. > pkcs11-helper provide the ability to access the PKCS#11 industry standard. > Please try the patchset and see for yourself that the solution allows > eCryptfs to access any PKCS#11 provider.
I understand, I'm just pointing out that its non-standard ways of doing things will not be acceptable for some, so we should name it something unique. > All the other notes based on this assumption, I will be happy to > explain more if you like. > > > But doing things like pulling an RSA modulus out of a pkcs11 data store > > and encrypting with it using OpenSSL is not going to be acceptable for > >some vendors. > > Why? It takes about 2 seconds to do this using most smartcard > hardware... And less than 0.1 second to do this on main CPU... Why should it? PKCS#11 was designed in such a was that what pkcs11-helper is doing shouldn't even need to happen. Under the covers of your smart-card token you should implement the RSA mechanisms with an openssl interface. All operations then just flow through PKCS#11 in the same slot and token with no need for a new interface. Worst case you could use a separate software only slot and *still* not need multiple PKCS#11 providers. > I already told Michael that if we want *ACCELERATION* we should divide > private and public key operation, so that public key operation may go > to the accelerator and private key operation go the the specific > provider. The accelerator and provider may be the same module, but in > most cases they should be different. Why? I've not seen this, and it strikes me as a design flaw as I said above... Kent -- Kent Yoder IBM LTC Security Dev. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ eCryptfs-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel
