<<TableOfContents(2)>>

''NB, should move this to [[Roots/HSM]] or similar ...''

= Mission =

The PKCS#11 Taskforce is set up to provide the missing standardisation, testing, development and lobbying for the PKCS#11 environment, to make it a useful environment.
PKCS#11 is a standard from RSA Security: [[http://www.rsasecurity.com/rsalabs/node.asp?id=2133]]

= Registry =

PKCS#11 is a standard from RSA Security, which defines a C API for Crypto 
Hardware drivers (SmartCards, Tokens, High-Security Modules, TPM´s, ...)

The big usability problem with PKCS#11 is the registration of PKCS#11 drivers in the system, so that applications can automatically find all available PKCS#11 drivers on a system. The standard just covers the C-API and is completely missing a driver registry guideline, or something similar.

The result of this situation is that the driver vendors install the drivers 
anywhere on the filesystem (some put it in /usr/lib, some somewhere 
completely else).
So the users have to manually find the drivers (how?) and configure every 
application that wants to use them with the exact pathes of all the drivers 
they want to use (which doesn´t work in practice).

Our proposal is to use directories as registry for PKCS#11 drivers.
Those directories only contain the drivers (lib*.so, *.DLL), put additional material somewhere else.

Current directories:
 * Unix: /usr/lib/pkcs11/
 * Unix: /usr/lib64/pkcs11/
 * Solaris: /usr/lib/pkcs11/$ISA/  ($ISA is the architecture: /usr/lib/pkcs11/64/ , ... )
 * Windows: WINDOWS\SYSTEM32\pkcs11\*.dll


If you are a vendor, developer or distributor, please adopt those directories, and make your driver install itself there.

|| Currently supporting Vendors/Distributors (please add yourself): || ||
|| Promised to support with the next version (please add yourself): || Novell(SuSE), Sun(Solaris), QCA [[http://delta.affinix.com/qca/]] , OpenSC ||


== PKCS11 in FHS Proposal ==

Now I would suggest the following addition to FHS:
{{{
/usr/lib/pkcs11 : PKCS#11 drivers 

Purpose

PKCS#11 is a standard for an interface to Cryptography hardware (SmartCards, 
USB Tokens, High Security Modules, Trusted Platform Modules, ... all together 
referred as "Hardware Tokens")
/usr/lib/pkcs11 includes libraries (shared objects) which conform to the 
PKCS#11 standard of RSA Security, and can be used by any user applications. 
They are not intended to be executed directly by users or shell scripts. [22]

Only the libraries/drivers themselves are supposed to be in 
the /usr/lib/pkcs11 directory, other driver specific files should reside in a 
single driver-specific subdirectory under /usr/lib. If a driver
uses a subdirectory, all architecture-dependent data exclusively used by the
application must be placed within that subdirectory, except the driver itself. 
[23]

----------------

Specific Options

For historical reasons, drivers can by symlinked from other directories. For 
the future, everyone is asked to migrate to the new structure. [24]

}}}




= Feedback =

 *Ludovic Rousseau said that it should be in /lib instead of /usr/lib, since PAM modules could need the libraries for root to be able to login, before /usr is mounted. Any opinions?

 *AndreasJellinghaus (one of the OpenSC developers)


= Other TODOs =

 *localisation/internationalisation
 *security model administrator vs. user
 *usability study
 *quality assurance of the drivers and the applications
 *automatic regression testing of the driver by the application/framework
 *upgrade of the software-tokens (GPKCS11 and soft-pkcs11) to fully usable tokens
 *API and free reference implementation for the registry service (?)
 *better distribution of drivers

= Quality Assurance =

We are currently thinking about building up a testing lab to intensively test and improve the available PKCS#11 drivers. 
Unless somebody comes up with better ideas, it is planned to create a "CAcert certified PKCS#11 driver" program.

= Distribution =

We believe that it is necessary that all Linux distributions contain the necessary drivers for all the SmartCards out there. So we will try to collect the PKCS#11 drivers, and push them to the distributors for inclusion, to make them publically available.


= Drivers =

Please add/correct your listing yourself.
[[http://janus.liebregts.nl/pkcs11/smartc.html]]

|| Name || URL || Vendor || Status ||
|| GPKCS ||  [[http://www.trustcenter.de/products/pkcs11/de/de.htm]]  || TC Trustcenter || does not link correctly on newer distributions ||
|| soft-pkcs11 || [[http://people.su.se/~lha/soft-pkcs11/]] || Love Hörnquist Åstrand || not enough features yet ||
|| Athena || [[http://www.athena-scs.com/]] || Athena-SCS || not tried ||
|| Arx || [[http://www.arx.com/]] || Arx || not tried ||
|| Aladdin || [[http://www.ealaddin.com/]] || Aladdin || not tried ||
|| Litronic Netsign || [[http://www.litronic.com/products/netsign/]] || Litronic || not tried ||
|| NCipher HSM || [[http://www.ncipher.com/]] || NCipher || not tried ||
|| SafeNet HSM || [[http://www.safenet-inc.com/]] || SafeNet || not tried ||
|| IButton || [[http://www.maxim-ic.com/products/ibutton/PKCS/index.cfm]] || Dallas Semiconductor/Maxim || lot of stability issues ||
|| OpenSC || [[http://www.opensc.org/files/doc/opensc.html#opensc.pkcs11]] || OpenSC || not tried ||
|| openCryptoki || http://www.sf.net/projects/opencryptoki || IBM || ||

== Found Drivers ==

||AET||c:/winnt/system32/aetpkss1.dll||
||Aladdin eToken||c:/winnt/system32/etpkcs11.dll||
||Chrysalis||c:/winnt/system32/cryst32.dll||
||Chrysalis||c:/program files/luna/cryst201.dll||
||Datakey||c:/winnt/system32/pkcs201n.dll||
||Datakey (for Entrust)||c:/winnt/system32/dkck201.dll||
||Datakey/iKey (NB: buggy, use 201)||c:/winnt/system32/dkck232.dll||
||Eracom (old, OK)||c:/program files/eracom/cprov sw/cryptoki.dll||
||Eracom (new, buggy)||c:/program files/eracom/cprov runtime/cryptoki.dll||
||Eutron||c:/winnt/system32/sadaptor.dll||
||Gemplus||c:/winnt/system32/pk2priv.dll||
||Gemplus||c:/program files/gemplus/gclib.dll||
||IBM||c:/winnt/system32/cryptoki.dll||
||nCipher||c:/winnt/system32/cknfast.dll||
||Nexus||c:/winnt/system32/nxpkcs11.dll||
||Orga Micardo||c:/winnt/system32/micardoPKCS11.dll||
||Rainbow HSM (for USB use Datakey dvr)||c:/winnt/system32/cryptoki22.dll||
||Safelayer HSM (for USB use Datakey dvr)||c:/winnt/system32/p11card.dll||
||Schlumberger||c:/winnt/system32/slbck.dll||
||Spyrus||c:/winnt/system32/SpyPK11.dll||



= Applications =

|| Name || URL || Information ||
|| pkcs11-tool || [[http://www.opensc.org/files/doc/opensc.html#opensc.pkcs11]] || Commandline tool ||
|| OpenSSL || [[http://www.openssl.org/]] || Crypto library with PKCS#11 support ||
|| cryptlib || [[http://www.cs.auckland.ac.nz/~pgut001/cryptlib/]] || Crypto library with PKCS#11 support ||
|| Mozilla( Firefox, Thunderbird) || [[http://www.firefox.org/]] || Browser, Email Client with NSS-based PKCS#11 support. ||
|| XMLSec || [[http://www.aleksey.com/xmlsec/]] || XML Encryption and Signature ||
|| Psi || [[http://psi.affinix.com/]] || XMPP/Jabber Client ||