[Cryptech Tech] token api
Russ Housley
housley at vigilsec.com
Tue Mar 11 21:28:55 UTC 2014
When I worked on crypto tokens, this was the approach we used. We had an API that was pretty close to the actual hardware command structure, and then we build PKCS #11 and Microsoft CAPI on top of that.
Russ
On Mar 11, 2014, at 4:43 PM, Randy Bush wrote:
> [ my warped understanding, likely incorrect ]
>
> in yesterday's and today's discussion
>
> o it was expressed that pkcs#11 was needed in the mid term (end of
> year protypes) for applications such as dnssec and rpki.
>
> o it was also expressed that pkcs#11 is not pretty and should not be
> the sole or even principle driver of the token api design, as it
> would bias the design in undisirable ways.
>
> these are not as diametrically opposed as one might think from being
> overly-assertively miscommunitated in overly long discussion :)
>
> it was suggested that there should be an underlying api which pkcs#11
> could use as could other apis such as gpg's. it would be more elegant
> and 'correct' than straight pkcs#11. but as near as we got to
> articulating this underlying api was to agree to try to abstract
> pkcs#11, gpg, and any other key examples we can find. as this had not
> been discussed before, things got pretty squishy quickly.
>
> we need to resolve this in the next couple of months. bright ideas and
> constructive suggestions solicited.
>
> randy
> _______________________________________________
> Tech mailing list
> Tech at cryptech.is
> https://cryptech.is/mailman/listinfo/tech
More information about the Tech
mailing list