| |||||||||||||
PKCS#11 and GnuPGPKCS#11 and GnuPGPosted Aug 11, 2011 16:51 UTC (Thu) by stefw (guest, #75025)In reply to: PKCS#11 and GnuPG by dd9jn Parent article: Desktop Summit: Crypto consolidation
I can understand your concerns.
As far as using the gnupg architecture instead of libraries like NSS... That's interesting to imagine, but that would be a massive undertaking (think army of developers, years of work).
There's really limited developer interest in the usability aspect of crypto, so we're working on gluing together libraries and stuff that already exists like NSS and GnuTLS. This means apps can work together with pretty minimal code and integration changes.
Part of the reason that I'm working on this is to make crypto more accessible and usable on the Desktop. I hope this will make it more interesting to get involved with. With the resulting interest and developer manpower, it's possible that a move to an architecture that's 'better' than PKCS#11 could take place.
As an aside, I think it'd be really cool to see someone work on a backend for Glib GIO TLS based around gnupg.
(Log in to post comments)
PKCS#11 and GnuPG Posted Aug 11, 2011 17:13 UTC (Thu) by dd9jn (subscriber, #4459) [Link]
AFAIR, RedHat pushed for NSS because it has a FIPS certification and thus would make it easy to get RHEL FIPS certified. I don't know whether this is still the plan; I heard that they now plan to move all crypto into the Linux kernel to satisfy newer FIPS requirements.
Crypto usability is more important than discussions on whether SHA-1 or SHA-256 is appropriate. Actually everything should work without any user interactions. We are far away from such a goal.
For what do you really need PKCS#11? Shall we discuss this on a ML and see whether we can do something about it?
PKCS#11 and GnuPG Posted Aug 11, 2011 19:06 UTC (Thu) by stefw (guest, #75025) [Link]
Yes, a great place to discuss it would be p11-glue@lists.freedesktop.org
|
|||||||||||||