Anders Rundgren wrote: > I don't know what USB P11 is, can you send me a pointer?
It's my old idea of implementing PKCS#11 directly over USB. Issues have been pointed out, and they would have to be solved of course. > Although PKCS #11 is good it is not particularly popular on Windows. > It is essentially only Mozilla who insists on not supporting the > native Windows crypto system. SUN/Oracle have managed to do 3(!) > major Java releases (5,6,7) without PKCS #11 support for Win-64. > They have though added support for Crypto-API. The same USB device could support Crypto-API primitives too. > Regarding my token-project it has no direct ties to PKCS #11; it is > closer to the NXP GP-chip which is powering Google's Wallet. > > The reason for this is that PKCS #11 doesn't have a interface > supporting secure remote provisioning, something which absolutely > necessary in the mobile phone world. Provisioning is indeed outside PKCS#11 and could be done in some other, also convenient, way. USB is really easy to use. > I have stretched this notion to include connected tokens as well > with a hope reaching the critical mass needed for establishing a > de-facto standard. I fear that you are ahead of your time. :\ Adam Dunkels implemented the internet of things many years ago, but I don't even have IPv6. Things are changing, but still slowly. > >> it seems that NIST's PIV would be good choice > > > > It would be a much better candidate if there was not such a thick > > layer of components involved which serve little to no purpose. > > If you talk about the actual card standard I have no idea what > you are referring to. It looks quite simple to me. If you OTOH > refer to the OpenSC implementation, this is something that PIV > isn't responsible for. Actually neither, I refer to the entire stack of software required for CCID, APDUs, PKCS#15 and translation to PKCS#11 or CryptoAPI. > Anyway, I know that the PIV vendors verify their cards against > Microsoft's driver and that is IMO the way to go. If there's a superior alternative Microsoft may well catch up at some point. They did with USB. > > But it would be nice to try to do even better. :) > > That is what my project is all about but that is hardly an > alternative for Feitian at this stage. Also agree. I'm also not suggesting Feitian to pick up on my idea. If they do that's perfectly fine and totally awesome, but I'm keeping the idea alive only because *I* think it is good and would like to try it out. //Peter _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
