From: "Peter Tomlinson" <[EMAIL PROTECTED]> Reply-To: MUSCLE <[EMAIL PROTECTED]> To: "MUSCLE" <[EMAIL PROTECTED]> Subject: Re: [Muscle] mozilla can't add PKCS11 module Date: Mon, 12 Apr 2004 10:00:51 +0100
Christian Schneider wrote:
> It´s quite sad that there is no universal pkcs11 module. But muscle is > a start ;-)
PKCS#11 was designed as an API within a client system, allowing for a set of
drivers under it in order to link to each crypto process/token (server).
PKCS#11 was designed for the purpose of ensuring that RSA licesees could access RSA devices using the same type of API as NSA was promoting (1992,1993,1994) for DSA. Ive long since forgotten the name of that "Fortezza API", but it was the (copyright-centered) politics of the US government that forced RSADSI to create a parallel API - one that would not exclude RSA by policy. On Solaris, installation was almost as bad as PCSC-lite on Linux : you had to rebuild the kernal to include the SCSI drivers! On Windows, you had to install proprietary PCMCIA card services, and Im not sure there ever was anything for DOS.
Some of the PKCS#11 constructs are very clumsy today, and addressed the way the PCMCIA market - which was still at its proprietary stage, like smartcard readers today. The API addressed a client world in which you installed your own 16bit PCMCIA card socket and card services to access the RSA chip! But bus-level access was its main focus. Once PCMCIA went universal on SUN's defense workstations and went universal on laptop PC with Win95, simple 2 chip "ISA class" PC card RSA devices were possible. Once Spyrus put software RSA on an 32bit ARM in 1991, we went and talked to a founder of MIPs (1995) to see what their power/cores expectations were: at this point custom RSA hardware chips were really not interesting, commercially, given what general-purpose CPUs would be doing in 2 years (200 sigs per second in 1996), and trusted bus technology.
Things changed once CryptoAPI can along, and RSADSI licensed TIPEM/BSAFE to Microsoft (and Microsoft invested $500,000 for 6% of VeriSign, and agreed to warrants which "monopolised" the SSL, IPSEC and S/MIME cert market, and projected the expiring RSA patent forward for the important parts: certs). The PKCS#11 standard had really served its original purpose.
If Netscape had not had such ego, it would have chosen either Intel's or Microsoft's properly designed crypto plugin architectures. Instead, it hacked the US government Fortezza API, and introduced PKCS#11 into a smartcard framework role that it was just never designed for. RSADSI never put the long term design/support structure in place for PKCS#11, and Netscape only ever had a crypto vision of about 3 months.
Peter (speaking ex cathedra on the topic very close to his own work desk in 1994!).
(PS. the cost of 200 sigs/s in a reasonably trustworthy package is now $10. In 1995, the cost was $1000.)
My
understanding of the purpose of both PKCS#15 and ISO/IEC 7816-15 is that
they are meant to standardise the interface (card edge) to a smart card
crypto token. Agree on a universal card edge and then its possible to
develop a universal PKCS#11 module (well, perhaps several, depeending on the
inetrface to the next layer down) as a driver inside the PC.
Hack, to preserve a defunct API, IMHO. If the card exports PKCS#11, native, thats a different ball game , though. All this interface mapping just keeps software costs too high, for mass adoption.
If you are going to have have crypto services delivered to a PC via a 7816 file system-based postbox signalling (rather like the Fortezza API, thinking about its use of SCSI socket services, in retrospect) why not map the PKCS#15 cardege into the file system, via USB mass storage drivers? Just like all the io/memory card, which work seamlessly with consumer platforms these days? Surely, on Unix, everything is a file!? Both the i586+ BIOS and Linux come with MSD... (assuming your trust these components)
If Sony can deliver crypto-enhanced DRM processing worldwide on its magicgate cards, via integration with the file/streaming system, why not follow the example, and do the same with raw crypto cardedge?
Peter
_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfeeŽ Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
_______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.drizzle.com/mailman/listinfo/muscle
