On 10/27/11 3:02 , Werner Koch wrote: > On Thu, 27 Oct 2011 11:15, mar...@martinpaljak.net said: > >> I don't know about PGP(.com), but GnuPG is picky about hardware key >> containers. Things like PKCS#11. > > For the records: That is simply not true. We only demand an open API > specification for the HSM because we don't want to support binary blob > pkcs#11 "drivers".
Taking into account the original request of getting something off-the-shelf for PGP uses, this demand basically just rules out GnuPG for some users and use cases. Why? Any kind of cryptographic hardware tends to already be costly (in case of PCI HSM-s in the order of (tens of)thousands of euros or dollars). Even if you get a HSM together with *interface* specification (I believe this is a matter of money), the hardware usually comes off-the-shelf only with existing drivers for CryptoAPI, JCE, PKCS#11, sometimes OpenSSL engine (which really is not relevant IMHO in this context for any meaningful use besides mod_ssl+apache). This demand adds a *forced* requirement to develop (and test, and maintain etc) another piece of software before you can interface the hardware with the software you want (GnuPG in this case), which hardly makes anyone optimistic and motivated. Or makes any good to the overall adoption of both PGP and FOSS. Now, the fact that there are both binary blob "drivers" that speak PKCS#11 but also open source drivers (also free, in the sense of "free software" vs "open source software") is as good excuse to reject PKCS#11 as ruling out HTTP from a browser because "there might be web servers that are not free software and are run and owned by evil people" and insisting on using HTTP-FREE which is incompatible with HTTP. Keep in mind that we are talking about *interfaces* not what's behind it. I might be wrong but I guess that most people run GnuPG on top of motherboards and CPU-s that are far from being free in any sense (firmwares, CPU microcode and designs etc). Where do you draw the border? Just to re-assure you, I'm a huge fan and proponent of both FOSS (and plain OSS) but I also strongly believe in common sense. And common sense tells that using PKCS#11 is a better option than not using it at all or inventing a 15th standard [1]. For meaningful adoption of crypto in everyday life would mean making it a commodity, as universal and interchangeable as possible [2]. Martin [1] http://xkcd.com/927/ [2] http://en.wikipedia.org/wiki/AC_power_plugs_and_sockets -- @MartinPaljak +3725156495 _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
