Here are the answers from one of the coolkey developers ... followups to
[Fedora-directory-devel] coolkey information and license
Andreas Jellinghaus <aj(a)dungeon.inka.de>
Wed, 27 Aug 2008 09:03:25 +0200
first some question about coolkey:
is the windows CSP coolkey specific, or is it (as it looks from many
miles away) a
generic CSP to PKCS#11 bridge?
It's a geneeric PKCS #11 bridge.
> the csp code mentions Identity alliance all over the place - is this the
> ID Ally CSP now open sourced? (it worked always fine for me, so an
> open source release labed as coolkey would be great).
yes, we got permission from ID Ally to release it under GPL.
> The fedora directory server wiki page on coolkey doesn't have too many
> details on what each component exactly does / how it is implemented.
> For example:
> - the windows CSP: generic or tied to the coolkey pkcs#11 module?
> - the java card applet: generic or only working on cyberflex cards?
> how is it uploaded? with gpshell? maybe include instructions for
> doing this, or refer to some tutorial?
Tied to javacard/global platform, however your mileage may
number of cards we tested all required tweaks to the applet to get working.
> - the java card applet: what API does it implement? I guess not a
> filesystem with pkcs#15 structures, but some proprietory simple api?
No it's not a filesystem card, it's a java card.
It's currently a
modified muscle API. We'd love to add PIV and CAC as interfaces as well.
> - is the source code of the java card applet open source too? where
> can people find it?
yes, it's there on the website:
CVSROOT=:pserver:firstname.lastname@example.org:/cvs/dirsec ; export
cvs checkout coolkey/applet
Build instructions are at:
> - how is the card managed with this applet? e.g. does it implement
> a single user or a security officer plus normal user combo?
> or is it flexible to do both?
Neither. It's currently managed by a back end TPS system.
We would like
to add user managed as well. The system that manages it is available at
). The relevant
subsystems are TPS and TKS. Stand alone versions of those would be an
excellent addition (so much work, so little time).
- the windows makefile: what build environment for windows does it
expect? (oops, found the wiki page with the windows build
- what is the job of the "cspres.dll"?
- what is the job of th "regcerts.exe"? when/how does a user need to
- does the pk11install.c work with all versions of mozilla firefox,
thunderbird and netscape? if so, it would be very interesting for
other projects with pkcs#11 modules too. what does it exactly?
(modify config file? databases? ...) is it important to have
> running? or to have it not running? etc.
all current versions, as well as older mozilla and seamonkey.
term we are looking at shared database as a better solution.
- the ChangeLog file is mentioned in the spec file - thus I guess it
included in the rpm? this is not needed (the file is empty)
- the coolkey.spec sets the license to LGPL which is not 100% correct
- the coolkey.spec file uses "PKCS#11" without mentioning "RSA
Security Inc. Public-Key Cryptography Standards (PKCS)"
which could be a license violation (see below)
- the pkcs11.h file has a different license clause than the usual file.
I wonder where you got this, did RSA ever released a file with the
spelling error "In.c"?
last the license: some web sites assume the software is LGPL. but the
PKCS#11 header files used - even the copy from mozilla source - is
not, it includes the RSA disclaimour, which is similar to the BSD
clause, but worse because of its very vague formulation ("all
Scute has a PKCS#11 header file written from scratch by using public
thus not tainted by any RSA license. opensc and a number
of other open source projects switched to using this header file
> as public domain). maybe this is a viable solution for coolkey too?
I believe Mozilla cleared the Mozila copies with RSA for
under the GPL, LGPL, and the MPL. Coolkey's copies come directly from
Mozilla. 'Scratch rewrites' still technically have a problem in that
they are still derived from the PKCS #11 spec which as the same license
clause. BTW in PKCS #11 v2.3 RSA is removing offending clause! This
should free up all the various copies floating around.
> (same pkcs#11 header files in coolkey and the windows/csp directory.)
yes, we prefer the Mozilla versions since we know we have
GPL, LGPL, and MPL.
> Regards, Andreas
> Fedora-directory-devel mailing list