There's been lots of talk about PKCS11, but hardly anything said about
Since I'm one of the ones fortunate enough to use one, I'll say
Apple has chosen to use the CDSA architecture (see
Well, that's more modern, but not as widely used. Nevertheless, it
does have far more "security features"
than PKCS11, so I really can't fault Apple for going that route.
Now, what this means is the the preferred way for applications to
access smart cards is to use
the CSSM_whatever API that CDSA provides (or KeyChainServices, or
TrustServices, or ... that
are really just wrappers around CDSA calls). Such calls for smart card
services will wander through
CDSA and eventually get to a plug-in on the back end that then connects
up with a PCSC daemon
and finally to an ifdhandler.
This is what Safari and Mail.app and other Apple applications do.
So, the preferred way for Mozilla/FireFox/Thunderbird to manipulate
keys and certificates would
be to use the CDSA calls. But that's going to take a lot of effort
from the Mozilla, etc. developers
since they've already invested a lot in PKCS11.
Therefore, what would be really useful to have for MACs is a PKCS11
library that just presents
the PKCS11 API to applications and translates those calls to CDSA calls.
I've never heard of such a thing. If someone has, please speak up. If
someone is anxious to
write some PKCS11 code for the MAC, this would be a useful thing to
>>Also a tutorial how to use Mac OS X apps
>>with OpenSC would be nice to have.
>This requires a cdsa plugin for pkcs#11 (the most sensible way to add
>support to os x). If anyone else is working on something similar or
>wants to help out drop me a line.
A tokend plugin is on my todo list for one of the next months.
However, we were thinking not to use pkcs11 because it's too much
overhead and because the plugin framework itself does the reader
stuff so it probably won't fit in nicely (or not at all).
Instead, I was thinking of making a sort of 'mode' in opensc
where the cards commands (e.g. sc_select_file()) are not send
to the card, but only put into a buffer that can be given to the
tokend framework instead). Or to make a new 'tokend' driver
next to the current pcsc, opensct and ctapi reader drivers..