diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-09-13 21:56:45 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-09-13 21:56:45 +0200 |
commit | 1276c744354f8947acac4fec236cf268980c0bee (patch) | |
tree | 7be7933584cd4f73bb9d2865e9015cead87a05e8 | |
parent | abd1428facbdaec84524c1c7e73faf26d268a707 (diff) | |
download | gnutls-1276c744354f8947acac4fec236cf268980c0bee.tar.gz |
Added a paragraph on opensc and trousers PKCS #11 modules.
-rw-r--r-- | doc/cha-cert-auth.texi | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index dfbb51ecf0..f1309bd720 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -362,15 +362,24 @@ This section copes with hardware token support in @acronym{GnuTLS} using @acronym{PKCS} #11 @xcite{PKCS11}. @acronym{PKCS} #11 is plugin API allowing applications to access cryptographic operations on a token, as well as to objects residing on the token. A token can -be a real hardware token such as a smart card, or it can be a software component -such as @acronym{Gnome Keyring}. The objects residing on such token can be +be a real hardware token such as a smart card and a trusted platform module (TPM), +or it can be a software component such as @acronym{Gnome Keyring}. The objects residing +on such token can be certificates, public keys, private keys or even plain data or secret keys. Of those certificates and public/private key pairs can be used with @acronym{GnuTLS}. Its main advantage is that it allows operations on private key objects such as decryption and signing without exposing the key. -Moreover it can be used to allow all applications in the same operating system to access +A @acronym{PKCS} #11 module to access smart cards is provided by the +Opensc@footnote{@url{http://www.opensc-project.org}} project, and a +module to access the TPM chip on a PC is available from the Trousers@footnote{@url{http://trousers.sourceforge.net/}} +project. + +Moreover @acronym{PKCS} #11 can be (ab)used to allow all applications in the same operating system to access shared cryptographic keys and certificates in a uniform way, as in @ref{fig:pkcs11-vision}. +That way applications could load their trusted certificate list, as well as user +certificates from a common PKCS #11 module. Such a provider exists in the @acronym{Gnome} +system, being the @acronym{Gnome Keyring}. @float Figure,fig:pkcs11-vision @image{pkcs11-vision,9cm} |