On 08/04/2011 06:57 PM, Alon Bar-Lev wrote: Hello, In gnutls we dropped our own PKCS #11 back-end based on pakchois for p11-kit. I try to contribute to the discussion based on this experience.
> pkcs11-helper targets developers who like to introduce PKCS#11 into > their application, especially for smartcard. It allows to minimize > the user interaction and maximize the object reuse. While using the > minimum set of the specification in order to allow application > compatibility with most implementation. p11-kit designed to solve > incompatibilities of modules and inappropriate implementation of > application that use PKCS#11 by providing a baseline of the PKCS#11 > spec module implementation that may proxy on or more providers. This does look like making them mutually exclusive. Would be good if a library satisfied both goals. >> * Coordinating initialization and finalizing. > You referencing a bad implemented application that is use PKCS#11 in > two independent places. A practical solution is to fix the library > implementation (such as GnuTLS) to provide some state information. How do you know that one library is in use? How can you avoid an application being linked to both p11-kit and pkcs11-helper? My experience from gnutls is that you cannot really track indirect dependencies, and you end-up having applications linked against gnutls and openssl. If both had to access a PKCS #11 token there would be a problem. >> * A standard place to put configuration of which modules to load >> and how to load them. > A PKCS#11 aware application should be expose to this information and > not let some library to hide these. I also don't like libraries like > NSS that have dependencies out side of the runtime environment the > application is creating for them. >> * Allowing pkcs11-helper to load modules from a standard location. >> Does pkcs11-helper have a concept of a module registry? If not, >> this could be a nice addition provided by p11-kit. > Same as above. I don't like these registries within a library (API). > A proxy module may have its own configuration which is fine. You can have both. Both an application interface where each application selects the modules and a system wide registry to set the system wide available libraries. This is how gnutls is using p11-kit currently. regards, Nikos PS .But for me the main user-visible contribution of p11-kit is the usage of pkcs11 urls, which prevents having applications referencing the same objects by different identifiers. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
