[cryptography] -currently available- crypto cards with onboard key storage

Kent Yoder shpedoikal at gmail.com
Tue Nov 1 15:37:32 EDT 2011


On Fri, Oct 28, 2011 at 4:10 AM, Martin Paljak <martin at martinpaljak.net> wrote:
> Now, the fact that there are both binary blob "drivers" that speak
> PKCS#11 but also open source drivers (also free, in the sense of "free
> software" vs "open source software") is as good excuse to reject PKCS#11
> as ruling out HTTP from a browser because "there might be web servers
> that are not free software and are run and owned by evil people" and
> insisting on using HTTP-FREE which is incompatible with HTTP. Keep in
> mind that we are talking about *interfaces* not what's behind it. I
> might be wrong but I guess that most people run GnuPG on top of
> motherboards and CPU-s that are far from being free in any sense
> (firmwares, CPU microcode and designs etc). Where do you draw the border?
>
> Just to re-assure you, I'm a huge fan and proponent of both FOSS (and
> plain OSS) but I also strongly believe in common sense.
> And common sense tells that using PKCS#11 is a better option than not
> using it at all or inventing a 15th standard [1].

  Another shameless plug here, but the IBM 4765 does have GPL'd
firmware, device drivers and open-source (CPL'd) PKCS#11 on top of it.
 There is a still a binary blob that sits between PKCS#11 and the
device driver if you want to use encrypted keys.

  There's also the TPM, who's stack is completely open-source from
PKCS#11 down through the device driver.  I'm not aware of a TPM vendor
with open source firmware though.

Kent
IBM LTC Security



More information about the cryptography mailing list