Oscar Jacobsson wrote:
> 
> Bear Giles wrote:
> > But a plug-in that transparently updated a smart card would be extremely
> > handy. :-)  That's what makes the design so hard - it needs to be able
> > to handle everything from 8k smart cards holding a single veiled key and
> > cert to RDBMS databases with 50,000+ entries.
> 
> I think the design would be made needlessly complex by mandating this
> scalability.
> 

I'd be reluctant to have multiple APIs handling each case. What we could
have is flags or profiles saying what a certain kind of database should
support.

> The use cases needed for your smart card API would be, say: encrypt
> this, decrypt this, sign this, verify this. This is what Cryptoki
> (PKCS#11) does, and does quite well, in my experience.
> 

There are unfortunately some problems with PKCS#11. Its tantalisingly
close to whats needed but falls down in some areas. 

> The use cases for a full-blown PKI repository, which I honestly thought
> was what we were discussing, should probably include: find me the issuer
> of this, give me the status of this, enumerate all my revoked
> certificates. None of these would make much sense to the humble 8k card.
> 

Indeed it wouldn't, but full lookup need not be a complex task. The way
I'm considering this would be a layered structure which could allow some
things like smart cards to have a KISS approach.

A standard database type would be an in memory database with full
lookup. A smartcard could build on this by just stuffing all the card
certificates in memory when its inserted and updating those on card as
needed. That would remove most of the lookup burden.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to