On 2012-02-19 19:11, Peter Stuge wrote: > Anders Rundgren wrote: >> You didn't hear my presentation at FOSDEM 2012 but it was about >> creating a token with a standard API so that you would as a >> customer be able to just plug it in. > > This is an advantage of USB P11. In Windows 8 and later there doesn't > even have to be a driver installed, since WinUSB comes with the > operating system already and can be loaded automatically if the > device follows some Microsoft-invented USB extensions. Only one > PKCS#11 DLL is neccessary, and nothing more.
I don't know what USB P11 is, can you send me a pointer? Although PKCS #11 is good it is not particularly popular on Windows. It is essentially only Mozilla who insists on not supporting the native Windows crypto system. SUN/Oracle have managed to do 3(!) major Java releases (5,6,7) without PKCS #11 support for Win-64. They have though added support for Crypto-API. The total confusion on the *NIX side regarding crypto subsystem haven't been particularly beneficial for PKCS #11 either. Regarding my token-project it has no direct ties to PKCS #11; it is closer to the NXP GP-chip which is powering Google's Wallet. The reason for this is that PKCS #11 doesn't have a interface supporting secure remote provisioning, something which absolutely necessary in the mobile phone world. I have stretched this notion to include connected tokens as well with a hope reaching the critical mass needed for establishing a de-facto standard. > >> it seems that NIST's PIV would be good choice > > It would be a much better candidate if there was not such a thick > layer of components involved which serve little to no purpose. If you talk about the actual card standard I have no idea what you are referring to. It looks quite simple to me. If you OTOH refer to the OpenSC implementation, this is something that PIV isn't responsible for. Anyway, I know that the PIV vendors verify their cards against Microsoft's driver and that is IMO the way to go. > > In principle I do not argue strongly against PIV, I generally agree > with your observations. > > But it would be nice to try to do even better. :) That is what my project is all about but that is hardly an alternative for Feitian at this stage. Anders > > > //Peter > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
