On Fri, Oct 28, 2011 at 4:10 AM, Martin Paljak <mar...@martinpaljak.net> wrote: > Now, the fact that there are both binary blob "drivers" that speak > PKCS#11 but also open source drivers (also free, in the sense of "free > software" vs "open source software") is as good excuse to reject PKCS#11 > as ruling out HTTP from a browser because "there might be web servers > that are not free software and are run and owned by evil people" and > insisting on using HTTP-FREE which is incompatible with HTTP. Keep in > mind that we are talking about *interfaces* not what's behind it. I > might be wrong but I guess that most people run GnuPG on top of > motherboards and CPU-s that are far from being free in any sense > (firmwares, CPU microcode and designs etc). Where do you draw the border? > > Just to re-assure you, I'm a huge fan and proponent of both FOSS (and > plain OSS) but I also strongly believe in common sense. > And common sense tells that using PKCS#11 is a better option than not > using it at all or inventing a 15th standard [1].
Another shameless plug here, but the IBM 4765 does have GPL'd firmware, device drivers and open-source (CPL'd) PKCS#11 on top of it. There is a still a binary blob that sits between PKCS#11 and the device driver if you want to use encrypted keys. There's also the TPM, who's stack is completely open-source from PKCS#11 down through the device driver. I'm not aware of a TPM vendor with open source firmware though. Kent IBM LTC Security _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography