Re: [Fed-Talk] pkcs11 -- the Other Way 'Round
Re: [Fed-Talk] pkcs11 -- the Other Way 'Round
- Subject: Re: [Fed-Talk] pkcs11 -- the Other Way 'Round
- From: "Shawn A. Geddis" <email@hidden>
- Date: Fri, 30 Oct 2009 15:06:49 -0700
On Oct 30, 2009, at 11:45 AM, Henry B. Hotz wrote:
> Snow Leopard adds a pkcs11 tokend/library that Firefox can use. Yay!
>
> Anyone know about the other direction? I have a software-based pkcs11 library that I'd like to be visible to Safari/Keychain Access.
>
> <<If anyone cares, I'm headed toward a kx509 implementation.>>
Henry,
You would need to develop a TokenD that communicates directly with your P11 Library.
It would propagate all objects, ACLs, capabilities across from your P11 accessible library into Smart Card Services on Mac OS X and then replicate everything that is being provided by the "TokendPKCS11" project provides. You could leverage the Source from MacOSForge for the latter half of this as long as you honor the licensing and commit back any and all changes you make to the original code for your solution to work -- just from the original TokendPKCS11 source code.
You are free to take any approach you would like, of course, with your kx509 project, but forcing it in this manner does not seem to be the cleanest approach -- especially if you are starting from scratch.
Your proposing:
/ Kerberos \
| (kx509) | ----> PKCS#11 ---> Tokend --> Securityd --> CDSA --> Applications
\ X.509 / <--- <--- <-- <-- <--
Any reason why you could't just communicate directly between kx509 <--> Tokend ?
Nothing in Tokend preventing that and sure cuts out all of the unnecessary layers. This seems logical from what you provided which of course did not include any constraints or assumptions up front.
- Shawn
_____________________________________________________
Shawn Geddis - Security Consulting Engineer - Apple Enterprise
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden