[Fedora-directory-devel] coolkey information and license
Rich Megginson
rmeggins at redhat.com
Wed Aug 27 17:34:23 UTC 2008
Here are the answers from one of the coolkey developers ... followups to
coolkey-devel at redhat.com
>
> ------------------------------------------------------------------------
>
> Subject:
> [Fedora-directory-devel] coolkey information and license
> From:
> Andreas Jellinghaus <aj at dungeon.inka.de>
> Date:
> Wed, 27 Aug 2008 09:03:25 +0200
> To:
> fedora-directory-devel at redhat.com
>
> To:
> fedora-directory-devel at redhat.com
>
>
> Hi,
>
> first some question about coolkey:
> is the windows CSP coolkey specific, or is it (as it looks from many
miles away) a generic CSP to PKCS#11 bridge?
>
It's a geneeric PKCS #11 bridge.
> the csp code mentions Identity alliance all over the place - is this the
> ID Ally CSP now open sourced? (it worked always fine for me, so an
> open source release labed as coolkey would be great).
>
yes, we got permission from ID Ally to release it under GPL.
> The fedora directory server wiki page on coolkey doesn't have too many
> details on what each component exactly does / how it is implemented.
>
> For example:
> - the windows CSP: generic or tied to the coolkey pkcs#11 module?
>
Generic.
> - the java card applet: generic or only working on cyberflex cards?
> how is it uploaded? with gpshell? maybe include instructions for
> doing this, or refer to some tutorial?
>
Tied to javacard/global platform, however your mileage may vary. I
number of cards we tested all required tweaks to the applet to get working.
> - the java card applet: what API does it implement? I guess not a
> filesystem with pkcs#15 structures, but some proprietory simple api?
>
No it's not a filesystem card, it's a java card. It's currently a
modified muscle API. We'd love to add PIV and CAC as interfaces as well.
> - is the source code of the java card applet open source too? where
> can people find it?
>
yes, it's there on the website:
CVSROOT=:pserver:anonymous at cvs.fedora.redhat.com:/cvs/dirsec ; export
CVSROOT
cvs login
cvs checkout coolkey/applet
Build instructions are at:
http://directory.fedoraproject.org/wiki/BuildCoolKeyApplet .
> - how is the card managed with this applet? e.g. does it implement
> a single user or a security officer plus normal user combo?
> or is it flexible to do both?
>
Neither. It's currently managed by a back end TPS system. We would like
to add user managed as well. The system that manages it is available at
dogtag (http://pki.fedoraproject.org/wiki/PKI_Main_Page). The relevant
subsystems are TPS and TKS. Stand alone versions of those would be an
excellent addition (so much work, so little time).
> - the windows makefile: what build environment for windows does it
> expect? (oops, found the wiki page with the windows build
instructions,
> thanks, solved)
> - what is the job of the "cspres.dll"?
> - what is the job of th "regcerts.exe"? when/how does a user need to
> start it?
> - does the pk11install.c work with all versions of mozilla firefox,
> thunderbird and netscape? if so, it would be very interesting for
> other projects with pkcs#11 modules too. what does it exactly?
> (modify config file? databases? ...) is it important to have
firefox etc.
> running? or to have it not running? etc.
>
all current versions, as well as older mozilla and seamonkey. Longer
term we are looking at shared database as a better solution.
> - the ChangeLog file is mentioned in the spec file - thus I guess it
gets
> included in the rpm? this is not needed (the file is empty)
> - the coolkey.spec sets the license to LGPL which is not 100% correct
> (see below)
> - the coolkey.spec file uses "PKCS#11" without mentioning "RSA
Security Inc. Public-Key Cryptography Standards (PKCS)"
> which could be a license violation (see below)
> - the pkcs11.h file has a different license clause than the usual file.
> I wonder where you got this, did RSA ever released a file with the
> spelling error "In.c"?
>
> last the license: some web sites assume the software is LGPL. but the
> PKCS#11 header files used - even the copy from mozilla source - is
> not, it includes the RSA disclaimour, which is similar to the BSD
advertising
> clause, but worse because of its very vague formulation ("all
material" etc.).
>
> Scute has a PKCS#11 header file written from scratch by using public
information thus not tainted by any RSA license. opensc and a number
> of other open source projects switched to using this header file
(released
> as public domain). maybe this is a viable solution for coolkey too?
>
I believe Mozilla cleared the Mozila copies with RSA for distribution
under the GPL, LGPL, and the MPL. Coolkey's copies come directly from
Mozilla. 'Scratch rewrites' still technically have a problem in that
they are still derived from the PKCS #11 spec which as the same license
clause. BTW in PKCS #11 v2.3 RSA is removing offending clause! This
should free up all the various copies floating around.
bob
> (same pkcs#11 header files in coolkey and the windows/csp directory.)
>
yes, we prefer the Mozilla versions since we know we have clearance for
GPL, LGPL, and MPL.
> Regards, Andreas
>
> --
> Fedora-directory-devel mailing list
> Fedora-directory-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20080827/324440cf/attachment.bin>
More information about the Fedora-directory-devel
mailing list