[Fedora-directory-devel] coolkey information and license

Rich Megginson rmeggins at redhat.com
Wed Aug 27 17:34:23 UTC 2008 

Here are the answers from one of the coolkey developers ... followups to 
coolkey-devel at redhat.com
 >
 > ------------------------------------------------------------------------
 >
 > Subject:
 > [Fedora-directory-devel] coolkey information and license
 > From:
 > Andreas Jellinghaus <aj at dungeon.inka.de>
 > Date:
 > Wed, 27 Aug 2008 09:03:25 +0200
 > To:
 > fedora-directory-devel at redhat.com
 >
 > To:
 > fedora-directory-devel at redhat.com
 >
 >
 > Hi,
 >
 > first some question about coolkey:
 > is the windows CSP coolkey specific, or is it (as it looks from many 
miles away) a generic CSP to PKCS#11 bridge?
 >  
It's  a geneeric PKCS #11 bridge.
 > the csp code mentions Identity alliance all over the place - is this the
 > ID Ally CSP now open sourced? (it worked always fine for me, so an
 > open source release labed as coolkey would be great).
 >  
yes, we got permission from ID Ally to release it under GPL.
 > The fedora directory server wiki page on coolkey doesn't have too many
 > details on what each component exactly does / how it is implemented.
 >
 > For example:
 >  - the windows CSP: generic or tied to the coolkey pkcs#11 module?
 >  
Generic.
 >  - the java card applet: generic or only working on cyberflex cards?
 >    how is it uploaded? with gpshell? maybe include instructions for
 >    doing this, or refer to some tutorial?
 >  
Tied to javacard/global platform, however your mileage may vary. I 
number of cards we tested all required tweaks to the applet to get working.
 >  - the java card applet: what API does it implement? I guess not a
 >    filesystem with pkcs#15 structures, but some proprietory simple api?
 >  
No it's not a filesystem card, it's a java card. It's currently a 
modified muscle API. We'd love to add PIV and CAC as interfaces as well.
 >  - is the source code of the java card applet open source too? where
 >    can people find it?
 >  
yes, it's there on the website:

CVSROOT=:pserver:anonymous at cvs.fedora.redhat.com:/cvs/dirsec ; export 
CVSROOT
cvs login
cvs checkout coolkey/applet


Build instructions are at: 
http://directory.fedoraproject.org/wiki/BuildCoolKeyApplet .


 >  - how is the card managed with this applet? e.g. does it implement
 >    a single user or a security officer plus normal user combo?
 >    or is it flexible to do both?
 >  
Neither. It's currently managed by a back end TPS system. We would like 
to add user managed as well. The system that manages it is available at 
dogtag (http://pki.fedoraproject.org/wiki/PKI_Main_Page). The relevant 
subsystems are TPS and TKS. Stand alone versions of those would be an 
excellent addition (so much work, so little time).
 >  - the windows makefile: what build environment for windows does it
 >    expect? (oops, found the wiki page with the windows build 
instructions,
 >    thanks, solved)
 >  - what is the job of the "cspres.dll"?
 >  - what is the job of th "regcerts.exe"? when/how does a user need to
 >    start it?
 >  - does the pk11install.c work with all versions of mozilla firefox,
 >    thunderbird and netscape? if so, it would be very interesting for
 >    other projects with pkcs#11 modules too. what does it exactly?
 >    (modify config file? databases? ...) is it important to have 
firefox etc.
 >    running? or to have it not running? etc.
 >  
all current versions, as well as older mozilla and seamonkey. Longer 
term we are looking at shared database as a better solution.
 >  - the ChangeLog file is mentioned in the spec file - thus I guess it 
gets
 >    included in the rpm? this is not needed (the file is empty)
 >  - the coolkey.spec sets the license to LGPL which is not 100% correct
 >    (see below)
 >  - the coolkey.spec file uses "PKCS#11" without mentioning    "RSA 
Security Inc. Public-Key Cryptography Standards (PKCS)"
 >     which could be a license violation (see below)
 >  - the pkcs11.h file has a different license clause than the usual file.
 >    I wonder where you got this, did RSA ever released a file with the
 >    spelling error "In.c"?
 >
 > last the license: some web sites assume the software is LGPL. but the
 > PKCS#11 header files used - even the copy from mozilla source - is
 > not, it includes the RSA disclaimour, which is similar to the BSD 
advertising
 > clause, but worse because of its very vague formulation ("all 
material" etc.).
 >
 > Scute has a PKCS#11 header file written from scratch by using public 
information thus not tainted by any RSA license. opensc and a number
 > of other open source projects switched to using this header file 
(released
 > as public domain). maybe this is a viable solution for coolkey too?
 >  
I believe Mozilla cleared the Mozila copies with RSA for distribution 
under the GPL, LGPL, and the MPL. Coolkey's copies come directly from 
Mozilla. 'Scratch rewrites' still technically have a problem in that 
they are still derived from the PKCS #11 spec which as the same license 
clause. BTW in PKCS #11 v2.3 RSA is removing offending clause! This 
should free up all the various copies floating around.

bob
 > (same pkcs#11 header files in coolkey and the windows/csp directory.)
 >  
yes, we prefer the Mozilla versions since we know we have clearance for 
GPL, LGPL, and MPL.
 > Regards, Andreas
 >
 > --
 > Fedora-directory-devel mailing list
 > Fedora-directory-devel at redhat.com
 > https://www.redhat.com/mailman/listinfo/fedora-directory-devel
 >  


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20080827/324440cf/attachment.bin>

More information about the Fedora-directory-devel mailing list