Predicting problems with PKCS #11 as a Trust Store

Rick van Rein rick at openfortress.nl
Tue Mar 8 15:12:11 UTC 2016 

Hi Nikos,

> Nikos Mavrogiannopoulos <mailto:nmav at redhat.com>
> 8 March 2016 at 13:57
> On Fri, 2016-03-04 at 23:08 +0100, Rick van Rein wrote:
>> Hello,
>>
>> If I understand correctly, then one of the goals of p11-kit is to
>> serve
>> as a trust store.  That use surprised me a bit, because PKCS #11
>> seems
>> too constraining for that use-case, unlike alternatives like
>> LDAP.  May
>> I present my cautions, in the hope they are useful to you?
>>
>>   * Useful about PKCS #11 is that it has well-defined storage formats
>> for X.509 certificates, but that won't help much with other key
>> infrastructures.  

>> I defined a format for OpenPGP [1] but that isn't
>> standardised, it isn't widely supported, and so you cannot rely on it
>> being possible in general.  The same can be said about OpenSSH,
>> DNSSEC, and so on. 
>
> Is that a real problem though? If openpgp wants to be a consumer of
> pkcs11 that's pretty easy to add, and for dnssec/openssh the public key
> and private key formats stored would be sufficient wouldn't they?

The problem in this case is that PKCS #11 is not quick to adopt changes,
and especially not the diverse implementations of it.  It is possible to
just use barren public/private keys, of course, but that will leave you
with hardly any metadata.  But yes, it would be possible that way. 
(What I proposed included storage of PGP Keys, pretty much as it is done
for X.509 certificates).
> btw. about standardizing the openpgp format for PKCS#11 have you
> brought your proposal to PKCS#11 working group? The process is quite
> open as far as I know.
> https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=pkcs11

You are right, I should pitch for it.  Time is the problem.

There is a slight difference. LDAP is a network protocol rather than an
API, and for a trust store you would have to address the issue which
server to contact, and in the short run you could only implement it
using slapd... that sounds like too much for a trust store :)

 

This is a practical observation that I feel too.  It's not one that I would allow to drive my architecture -- but it's not mine of course.  As you know from previous chat (at the libtasn1 list) I am thinking of a low-profile LDAP interface.  It has merits to be able to run your own keyserver atop your .gnupg/ keyring, for instance, or with your personal collection of vCards.

 
Tx,
-Rick

More information about the p11-glue mailing list