NB, should move this to Roots/HSM or similar ...

Mission

The PKCS#11 Taskforce is set up to provide the missing standardisation, testing, development and lobbying for the PKCS#11 environment, to make it a useful environment. PKCS#11 is a standard from RSA Security: http://www.rsasecurity.com/rsalabs/node.asp?id=2133

Registry

PKCS#11 is a standard from RSA Security, which defines a C API for Crypto Hardware drivers (SmartCards, Tokens, High-Security Modules, TPM´s, ...)

The big usability problem with PKCS#11 is the registration of PKCS#11 drivers in the system, so that applications can automatically find all available PKCS#11 drivers on a system. The standard just covers the C-API and is completely missing a driver registry guideline, or something similar.

The result of this situation is that the driver vendors install the drivers anywhere on the filesystem (some put it in /usr/lib, some somewhere completely else). So the users have to manually find the drivers (how?) and configure every application that wants to use them with the exact pathes of all the drivers they want to use (which doesn´t work in practice).

Our proposal is to use directories as registry for PKCS#11 drivers. Those directories only contain the drivers (lib*.so, *.DLL), put additional material somewhere else.

Current directories:

If you are a vendor, developer or distributor, please adopt those directories, and make your driver install itself there.

Currently supporting Vendors/Distributors (please add yourself):

Promised to support with the next version (please add yourself):

Novell(SuSE), Sun(Solaris), QCA http://delta.affinix.com/qca/ , OpenSC

PKCS11 in FHS Proposal

Now I would suggest the following addition to FHS:

/usr/lib/pkcs11 : PKCS#11 drivers 

Purpose

PKCS#11 is a standard for an interface to Cryptography hardware (SmartCards, 
USB Tokens, High Security Modules, Trusted Platform Modules, ... all together 
referred as "Hardware Tokens")
/usr/lib/pkcs11 includes libraries (shared objects) which conform to the 
PKCS#11 standard of RSA Security, and can be used by any user applications. 
They are not intended to be executed directly by users or shell scripts. [22]

Only the libraries/drivers themselves are supposed to be in 
the /usr/lib/pkcs11 directory, other driver specific files should reside in a 
single driver-specific subdirectory under /usr/lib. If a driver
uses a subdirectory, all architecture-dependent data exclusively used by the
application must be placed within that subdirectory, except the driver itself. 
[23]

----------------

Specific Options

For historical reasons, drivers can by symlinked from other directories. For 
the future, everyone is asked to migrate to the new structure. [24]

Feedback

Other TODOs

Quality Assurance

We are currently thinking about building up a testing lab to intensively test and improve the available PKCS#11 drivers. Unless somebody comes up with better ideas, it is planned to create a "CAcert certified PKCS#11 driver" program.

Distribution

We believe that it is necessary that all Linux distributions contain the necessary drivers for all the SmartCards out there. So we will try to collect the PKCS#11 drivers, and push them to the distributors for inclusion, to make them publically available.

Drivers

Please add/correct your listing yourself. http://janus.liebregts.nl/pkcs11/smartc.html

Name

URL

Vendor

Status

GPKCS

http://www.trustcenter.de/products/pkcs11/de/de.htm

TC Trustcenter

does not link correctly on newer distributions

soft-pkcs11

http://people.su.se/~lha/soft-pkcs11/

Love Hörnquist Åstrand

not enough features yet

Athena

http://www.athena-scs.com/

Athena-SCS

not tried

Arx

http://www.arx.com/

Arx

not tried

Aladdin

http://www.ealaddin.com/

Aladdin

not tried

Litronic Netsign

http://www.litronic.com/products/netsign/

Litronic

not tried

NCipher HSM

http://www.ncipher.com/

NCipher

not tried

SafeNet HSM

http://www.safenet-inc.com/

SafeNet

not tried

IButton

http://www.maxim-ic.com/products/ibutton/PKCS/index.cfm

Dallas Semiconductor/Maxim

lot of stability issues

OpenSC

http://www.opensc.org/files/doc/opensc.html#opensc.pkcs11

OpenSC

not tried

openCryptoki

http://www.sf.net/projects/opencryptoki

IBM

Found Drivers

AET

c:/winnt/system32/aetpkss1.dll

Aladdin eToken

c:/winnt/system32/etpkcs11.dll

Chrysalis

c:/winnt/system32/cryst32.dll

Chrysalis

c:/program files/luna/cryst201.dll

Datakey

c:/winnt/system32/pkcs201n.dll

Datakey (for Entrust)

c:/winnt/system32/dkck201.dll

Datakey/iKey (NB: buggy, use 201)

c:/winnt/system32/dkck232.dll

Eracom (old, OK)

c:/program files/eracom/cprov sw/cryptoki.dll

Eracom (new, buggy)

c:/program files/eracom/cprov runtime/cryptoki.dll

Eutron

c:/winnt/system32/sadaptor.dll

Gemplus

c:/winnt/system32/pk2priv.dll

Gemplus

c:/program files/gemplus/gclib.dll

IBM

c:/winnt/system32/cryptoki.dll

nCipher

c:/winnt/system32/cknfast.dll

Nexus

c:/winnt/system32/nxpkcs11.dll

Orga Micardo

c:/winnt/system32/micardoPKCS11.dll

Rainbow HSM (for USB use Datakey dvr)

c:/winnt/system32/cryptoki22.dll

Safelayer HSM (for USB use Datakey dvr)

c:/winnt/system32/p11card.dll

Schlumberger

c:/winnt/system32/slbck.dll

Spyrus

c:/winnt/system32/SpyPK11.dll

Applications

Name

URL

Information

pkcs11-tool

http://www.opensc.org/files/doc/opensc.html#opensc.pkcs11

Commandline tool

OpenSSL

http://www.openssl.org/

Crypto library with PKCS#11 support

cryptlib

http://www.cs.auckland.ac.nz/~pgut001/cryptlib/

Crypto library with PKCS#11 support

Mozilla( Firefox, Thunderbird)

http://www.firefox.org/

Browser, Email Client with NSS-based PKCS#11 support.

XMLSec

http://www.aleksey.com/xmlsec/

XML Encryption and Signature

Psi

http://psi.affinix.com/

XMPP/Jabber Client

Pkcs11TaskForce (last edited 2014-03-19 13:32:22 by SunTzuTormenta)