Anders Rundgren wrote: > Is my assumption that the amount of PKCS #11 needed for doing > TLS-client-cert auth or S/MIME is close to nothing? > > I also guess that the CryptAPI support needed for AD login > with a certificate is very small, right?
It could be zero if you have the right card. Windows 7 comes with support for PIV. Other cards need a CSP from a vendor or OpenSC. The card management on the AD side is the Achilles heel. On Linux, a combination of pam_krb5, Kerberos with PKINIT, PKCS11 from OpenSC, OpenSC and pcsc-lite will let you login to AD too. Its all available in current releases. > > I'm asking because Peter's idea to emulate PKCS #11 directly > is horrendous if the entire spec is to be followed but could > turn out to be a no-brainer if you only need to enumerate keys, > open, sign and close. That sounds too optimistic. You don't want you card or device signing just anything. > > Anders > > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel