David Corcoran wrote: > > > Applications need the PKCS-11 or CDSA architecture to > manage things like CA's, certificate handling, etc. The MuscleCard API is > well capable of handling cards like the Finnish ID PKCS-15 card with the > right plug-in. Even if it wasn't it could still fit at the PKCS-11 layer. > At the Musclecard layer you are more worried about containers than > certificates, Certs are stored as objects, keys are unwrapped and stored > as keys, pins as pins, etc. >
I'm not sure I follow this. PKCS#11 implementations have been written with no certificate handling at all: that is they just blindly store them as an opaque blob with a set of attributes provided by the application. A slightly less naive implementation might want to save space on a smart card by extracting the relevant fields from the certificates themselves instead of storing them. Even this though needs a very minimal ASN1 parser. Wrt PKCS#15 cards and such like. If they can be supported at the MuscleCard layer then that would be great. I think if a typical PKCS#15 card could be handled then I think GPK and/or GemSAFE could also be handled. I'm not too sure how this would be done. For example how would issues like this be handled: 1. The card doesn't support the full range of algorithms: say RSA only, no DSA or DES, 3DES. 2. The card is read only: you can't create or delete objects at all. These could presumably be handled by some "query capabilities" function or similar. Does such a thing exist under MuscleCard or would an application have to interpret SW_UNSUPPORTED_FEATURE return codes? 3. The card has objects with a specific meaning: e.g. certificates. I'd guess that PKCS#11 stores things like certificates on a MuscleCard as objects with some additional header information to indicate the stored object is a certificate. Presumably a driver for something like a PKCS#15 card would need to make certificates (and other objects) emulate the MuscleCard headers? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *************************************************************** Unix Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/ To unsubscribe send an email to [EMAIL PROTECTED] with unsubscribe sclinux ***************************************************************
