Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

PKCS#11 vs. CryptoAPI certificate management

720 views
Skip to first unread message

Eugene Mayevski

unread,
Sep 26, 2004, 6:45:30 PM9/26/04
to
Hello!

I am wondering about possible benefits of PKCS#11 comparing to CryptoAPI in
the area of certificate management on hardware devices. On one hand, it
seems to me that all token manufacturers supply CSP for Windows. On the
other hand, PGP software only supports PKCS#11 for some reason.
Can anybody comment please?

With best regards,
Eugene Mayevski.

Newsreader

unread,
Sep 27, 2004, 2:47:38 PM9/27/04
to
Eugene Mayevski wrote:

From what I understand PKCS#11 has no real notion of what a certificate is.
You can store, search and read objects of type certificate but no further
methods to work with such objects are defined. This interface aims to
generalize cryptographic tokens on a very basic level and therefore provides
rather those methods available in hardware.
CryptoAPI OTOH is a complete SDK which allows handling of cryptographic
operations and objects on a higher-level of abstraction then PKCS#11. It
therefore provides a more complete set of methods.

The simple task of verifying a received certificate against a set of trusted
certificates which are stored on a PKCS#11 Token is not possible without using
other libraries for example to decode the binary blob which is returned as
result when reading a certificate.
I haven't really used the CryptoAPI for quite sometime so I'm not totally sure
on this but there should be is a single VerifyCertificate API call which
simply needs some reference to certificate objects - no need to bother with
any low level stuff like decoding.

HTH
MSNewsReader

Eugene Mayevski

unread,
Sep 27, 2004, 4:38:29 PM9/27/04
to
Hello!
You wrote on Mon, 27 Sep 2004 20:47:38 +0200:

N> The simple task of verifying a received certificate against a set of
N> trusted certificates which are stored on a PKCS#11 Token is not possible
N> without using other libraries for example to decode the binary blob
N> which is returned as result when reading a certificate.

Thank you for the comment.
We offer the library (PKIBlackbox) ourselves, so the question is mainly if
support for PKCS#11 is needed...

With best regards,
Eugene Mayevski

MSNewsReader

unread,
Sep 28, 2004, 8:28:34 AM9/28/04
to

Oh, sorry, I didn't get this.

If your library works on Windows only, the need for supporting PKCS#11 is
rather negligible - you're lacking to support Mozilla/Netscape and some other
applications though (but wether or not this poses a problem is a matter of
personal favor, I guess).
If your focus is to be platform independent you have to offer PKCS#11 anyway.

Cheers
MSNewsReader

Eugene Mayevski

unread,
Sep 29, 2004, 2:50:29 PM9/29/04
to
Hello!
You wrote on Tue, 28 Sep 2004 14:28:34 +0200:

M> If your library works on Windows only, the need for supporting PKCS#11
M> is rather negligible - you're lacking to support Mozilla/Netscape and
M> some other applications though (but wether or not this poses a problem
M> is a matter of personal favor, I guess).
M> If your focus is to be platform independent you have to offer PKCS#11
M> anyway.

Thank you for information. Does this mean that Mozilla offers PKCS#11
interface to it's certificate storage? I don't have Mozilla now to check.

MSNewsReader

unread,
Sep 30, 2004, 6:40:47 AM9/30/04
to
> M> If your library works on Windows only, the need for supporting PKCS#11
> M> is rather negligible - you're lacking to support Mozilla/Netscape and
> M> some other applications though (but wether or not this poses a problem
> M> is a matter of personal favor, I guess).
> M> If your focus is to be platform independent you have to offer PKCS#11
> M> anyway.
>
> Thank you for information. Does this mean that Mozilla offers PKCS#11
> interface to it's certificate storage? I don't have Mozilla now to check.

yes, I'm using PKCS#11 based hardware and software token since Netscape 4.x
and with all Mozilla versions supporting it (not sure with which version
cryptoki support started, you might check the release notes).
Therefor you either use the internal crytpoki token provided by the browser or
install your own token e.g. a smartcard.
But if you meant to access the certificate storage or other objects of the
internal PKCS#11 token from another application than the browser - I don't
think so.

Short quote from Mozilla's glossary

"PKCS #11 module.
A program on your computer that manages cryptographic services such as
encryption and decryption using the PKCS #11 standard. Also called
cryptographic modules, cryptographic service providers, or security modules,
PKCS #11 modules control either hardware or software devices. A PKCS #11
module always controls one or more slots, which may be implemented as some
form of physical reader (for example, for reading smart cards) or in software.
Each slot for a PKCS #11 module can in turn contain a security device (also
called token), which is the hardware or software device that provides
cryptographic services and stores certificates and keys. Certificate Manager
provides two built-in PKCS #11 modules. You may install additional modules on
your computer to control smart card readers or other hardware devices."

Have fun
MSNewsReader

Eugene Mayevski

unread,
Sep 30, 2004, 7:34:23 AM9/30/04
to
Hello!
You wrote on Thu, 30 Sep 2004 12:40:47 +0200:

M> yes, I'm using PKCS#11 based hardware and software token since Netscape

Thank you very much for detailed explanation! Then we will implement PKCS#11
for everyone's benefit ...

0 new messages