On 2012-02-20 21:40, Peter Stuge wrote: > Anders Rundgren wrote: >> I don't know what USB P11 is, can you send me a pointer? > > It's my old idea of implementing PKCS#11 directly over USB. Issues > have been pointed out, and they would have to be solved of course.
Maybe you would like to have an STM32F215-based token? 160 MHz, 128K RAm 1M Flash, USB HS, True RNG, AES It may happen this year. Anders > > >> Although PKCS #11 is good it is not particularly popular on Windows. >> It is essentially only Mozilla who insists on not supporting the >> native Windows crypto system. SUN/Oracle have managed to do 3(!) >> major Java releases (5,6,7) without PKCS #11 support for Win-64. >> They have though added support for Crypto-API. > > The same USB device could support Crypto-API primitives too. > > >> Regarding my token-project it has no direct ties to PKCS #11; it is >> closer to the NXP GP-chip which is powering Google's Wallet. >> >> The reason for this is that PKCS #11 doesn't have a interface >> supporting secure remote provisioning, something which absolutely >> necessary in the mobile phone world. > > Provisioning is indeed outside PKCS#11 and could be done in some > other, also convenient, way. USB is really easy to use. > > >> I have stretched this notion to include connected tokens as well >> with a hope reaching the critical mass needed for establishing a >> de-facto standard. > > I fear that you are ahead of your time. :\ Adam Dunkels implemented > the internet of things many years ago, but I don't even have IPv6. > Things are changing, but still slowly. > > >>>> it seems that NIST's PIV would be good choice >>> >>> It would be a much better candidate if there was not such a thick >>> layer of components involved which serve little to no purpose. >> >> If you talk about the actual card standard I have no idea what >> you are referring to. It looks quite simple to me. If you OTOH >> refer to the OpenSC implementation, this is something that PIV >> isn't responsible for. > > Actually neither, I refer to the entire stack of software required > for CCID, APDUs, PKCS#15 and translation to PKCS#11 or CryptoAPI. > > >> Anyway, I know that the PIV vendors verify their cards against >> Microsoft's driver and that is IMO the way to go. > > If there's a superior alternative Microsoft may well catch up at some > point. They did with USB. > > >>> But it would be nice to try to do even better. :) >> >> That is what my project is all about but that is hardly an >> alternative for Feitian at this stage. > > Also agree. I'm also not suggesting Feitian to pick up on my idea. If > they do that's perfectly fine and totally awesome, but I'm keeping > the idea alive only because *I* think it is good and would like to > try it out. > > > //Peter > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
