Erich Titl wrote: > maybe I am completely off topic but I am using an ikey 1000 on a Windoze box with standard openvpn. AFAIK the ikey 1000 provides a > PKCS#11 interface which (at least on windoze) is handled by the proprietary driver.
> This token only handles storage of the keys. I believe the engine is only required when you want to run crypto operations on the card. Hello Erich, In terms of security, there is no point of using a device that store keys only to be extracted by applications. In order to secure your identity you must use a device that cannot be duplicated. This can be implemented only if the device does not allow the private key to be extracted from it. In order to make use of this none extractable key, the device must perform the cryptographic operations and not the software. What you describe is somewhat like putting the private key on USB Storage device... This is very low security level. Best Regards, Alon Bar-Lev.
