 Thank you very much, I'm Niklas Mavrianović, I'm the author of the new series and I'm going to talk about unifying access to holographic objects. If you wonder what is it, I will explain here in the presentation. Now the plan of the presentation is, first I'm going to talk about probably you know already, as I've seen in the previous presentations, but I will elaborate on what are cryptographic tokens and modules are, what are cryptographic objects, what do I mean by it, and what do I mean by access to the objects and what are the open issues that we face today, and also about the modules, how do we access today and what issues we have. So as you may know or not, cryptographic tokens are various hardware things that we use not only to store keys, and actually not to store keys, but to use operations on keys without actually accessing the keys. So when you insert a cryptographic token on a card reader, receive a smart card or a USB token, you insert it on your PC, you can perform cryptographic operations, but you are sure that after you remove the token, the PC doesn't have any access to the key. So there can also be software tokens, non-killing is a security module that is here in the software, and all of these tokens, they can be accessed in a common way via PSAs and other APIs. What do they contain these tokens? They can contain cryptographic keys, the corresponding certificates, probably a list of traces and figures. So they can contain stuff that you can use to authenticate yourself to some side or some other part. And they are mainly accessed through biggest 11 modules. What are these modules? Because 11 modules are just normal-serial libraries that provide you access to a consistent API and give you access to operations, cryptographic operations. If you search your system, probably you have some library in this directory. Now I'm going to talk about accessing objects and what are the issues. So, in typical applications today, cryptographic applications, when you want to provide your identity, they ask you for a key file and a certificate file. What are these? It's a file that contains your private key and your certificate. So if you use the NoDLS click line or the open-insert line, in order to connect to a site, you can specify as a command line a key and a certificate. But when you want to specify a key that resides on a token, you have to use very special options. Really, I don't remember how it is in the open-insert line. It's pretty hard, almost, in every program to do. And some, even worse, some programs they require you to enter the slot number of the smart card. If you have a smart card reader that has many slots, you might require you to type the slot number, but you don't really care about that. So what are the problems? Objects are referenced in a way that is really unique per application. We don't like that. Why should I specify a different option for open-insert and different for NoDLS and different for any other library? So what requirements do we have for that? How can I identify an object in a unique way? Object has an object ID. Now the whole context is pks611. Every object has an object ID. It has a type. It can be a certificate, a private key. It can be some other data. And also there is a token ID which says this object resides on this token. So you don't copy a different object that resides on another token, but have the same ID. And also what we want is known... How are we going to access this object? We have which module? Say if you use open-insert and you want to access a pks11 card, you want to specify that I want to access this module via the open-insert interface, not some other interface that is not easy in your system. So some examples. In order to specify a private key and a certificate that resides on a token, you have to specify an ID something like this. In open-insert cell, if you use the pks11 open-insert engine, it's some other different ID. But a nice thing that occurred in the world of pks11 implementation is that they created the concept of pks11 URLs. This is a standardized way to specify tokens, standardized via eEd. It's specified on this draft. And it can be used to uniquely describe a token and also an object. You can specify both things. This is how it looks like. I think it's more real than saying the pks11 helper stream, although it might be a bit intimidating, but it's pretty clean what it means. This object is a certificate. It says it has a data ID. It resides on that token, made by this manufacturer and this model. So what are the advantages of using URLs to identify objects? We can describe all tokens. It doesn't care about any slots. And it can be used to share between applications. If all applications decide to standardize this URL scheme, you can copy, let's say, the position of your certificate, your URL, from one application to the other. And a nice also property is that it can be used in command line. Because there are purely text. You can, let's say, if you use GNU, TLS, click. You can specify instead of key file, you can put a pks11 URL, and GNU TLS will just load your certificate and your private key from the smarka. And this is a model-compatible way to specify keys that are either on your file system or reside on a token. Yeah, this is the proposal, what we propose as a GNU TLS project to describe objects on a token. So I'm going to talk about a different problem that is mainly for developers at work with pks11 modules. We had these problems, implementing pks11 support in GNU TLS. There's no system-wide way to read, to know which pks11 libraries to use. In my system, there are many libraries, but I don't want to use them all. How can we system-wide specify these libraries should be there? It should be loaded by GNU TLS or by OpenSL or by any other project. We don't have this today. And also pks11 has issues when multiple users use a module. I'm going to talk about the first one first. There's a proposal to the file system here. It's standard that they say, put all the modules in that directory and load then GNU TLS and OpenSL will load them. But it has a problem. I found there that there is some testing modules that as long as you use it in GNU TLS, you get some errors in the standard. They say this is a testing module and stuff. This is not nice. Also, I found that OpenSL has two libraries that have the same identification as pks11. And when you list objects, they give you the same objects in the same URLs. So it's impossible to use this directory and load all the libraries from that. So for GNU TLS, we use a special configuration file, although this is not a solution. We want something better about it. So this is an open problem today. Another problem. Access to modules will be in Linux, in Devian or so. It's very common to have setups like this. You can have a layout where an application is using two subsystems, one subsystem is using GNU TLS and the other is using OpenSL. And let's say it's supposed that both they use objects from pks11, even from different libraries from the same library. What will happen? When subsystems be, let's say it's no longer used by the application. So it's a dynamically loaded library and the application unloads it. OpenSL will let it clean up and it will also clean up pks11. Then GNU TLS will stay looking out nothing. It will have no backend and either the application will crash or it will be just unused. So this is the second problem of pks11. We need a way to make it result by multiple uses in the same application in order to solve these issues. Steph, Walter, who will be presenting next, he's working on that on a solution called pk11kit. So what I've told you actually is what open problems we have. I propose a solution only to the first one and the others one are still open. So today we have no common way to specify objects. pks11 URLs might be a solution that we'd like in GNU TLS. And we have problems accessing modules in a single application and we have problems with the configuration but it's not there. Are there any questions? Sorry, I don't hear you. Who has adopted this URL scheme? Has anyone heard of it? The oracle pks11 module uses and GNU TLS already uses. And now... I'm not hearing. I'm not hearing. Maybe I can testify it's a real problem in the smart cards. We do a lot of testing and it's very usual that you can log a smart card with one application and then you cannot stop another application. So your piece of software is really important for the community. I would say it's an absolute priority. Have you made experiments? So I think... What about other SSL and security libraries? You said... Other libraries? Yes. I think you've focused on GNU TLS right now? Actually, at the start of problems during the implementation of this thing on GNU TLS, but I think the same problems in other libraries. Every library has its own way of specifying objects. NSS has its own way. It has a web interface or something. I don't think you can... I don't know. But the same problems are there. It's nice if they're solving all of them. You're saying that all the applications should be using the common configuration file. The rates of the specified pitch modules should be used. Yeah. But that puts... We... quite pattern-specific because you would have to have a specification. For example, the layer of the system will be... What do you mean different? For example, if you want to have a cross-platform solution that's more important than a Mac OS layer in the Windows, it won't have more defined points but it will have the password. Can you close the door? In the case of the Unix-like systems, that would be easy to accomplish because most Unix-like systems comply to the FHS. But in case of Windows, it has files all over the place and it would be a good question where such a configuration file should be placed. Are you mean about solutions that also covers Windows? Yeah, I suppose Windows will use something different. It will not use a configuration file, maybe something in the registry or... Still, in the end, you'd have to push a kind of standard for that. But in Windows, you don't really care. It has its own framework for cryptography. I don't know... Although, not the rest of the day, it also runs in Windows and maybe it's easier to use because 11 or the CSP thing but I don't know how it can be crossed-platform, a configuration file crossed-platform in Windows and in Linux. I don't know. That's the thing that I'm actually inclined to do. Quite a... platform-specific solution. It could be at least for all post-existence that have a file system. I think that rather than a configuration file, if it's going to be really cross-platform, then it needs to be a configuration API as in a library provider that uses whatever system-specific back-end to... to store configuration for that system. I think... a plain file might be... it will work fantastically well on post-existence systems but it might not be enough to cover others as well. Another question that I thought of here, the PKCS11 URLs, have you seen them used in a GUI anywhere? Does... Is the Oracle thing a graphical... does it have a graphical user interface? I'll use it in my command line. Okay. Usually in a GUI, you wouldn't see them. You would see only the description of your object and you could also copy the object. You could see it from one application to the other and when you copy, you don't care seeing actually. What do you copy? It's like when copying files. Except the file is just one object or just one... it has one atom of identity. A single... single field of identity. It's pretty unique. Yeah, I'm sure it's unique but it's... it's... if you have a graphical user interface the wrong way to do it is to have a text box where you paste the PKCS11 URL. You can drag and drop. Yeah, that's... yeah, yeah. It would be a nice backend to drag and drop. You just transfer URLs. Yeah, so that was my question. If you had seen it implemented anywhere in Oracle... I don't know. The only other implementation I have seen is Oracle. But it's also a command line. Okay. But maybe it's the... You are influencing in the GUI library. Okay. The idea is that we should see some kind of the three... three widgets and then select the one you want to then download it. The URL would be used without the user even seeing the URL. Is that the idea? Yeah. So that answers this question in a GUI that URLs would not be seen at all. I think the question in RFC or whatever the document was it's also done by Oracle guys. Yeah. So basically it's a chicken and egg thing. It's done by Oracle guys because a lot of feedback from me and Steph from... How is the IETF process going? There. It's just an information RFC. It's not much process. When they say they are ready, it can be published information RFC. It's not a standard. I think there are two issues with the thing. The URL omits the actual path to the file name what application it has to do. It has to deal open the shared library. And the second thing is that somebody asked about cross-platform usability. The thing is that Linux or the three Unix is the only platform which doesn't have any kind of a system API which the Fedora guys are trying to fix by resorting to a single kind of a platform support and the distribution support is the triple ref library which is NSS which kind of solves it because it just has its own internal kind of a thing that registers all the models you want to use which is of course not reusable which forces you to use NSS which is also not on payday I think for most people. It can be one solution but about the first one you said that you don't have the library there. I don't think you want the library there. What you can do actually is have the library name there at the key select name of the library. So as long as the application has as I said you need a configuration file or something that you can know which libraries to load as long as you have them you can know which library to load the object from. You split the configuration into two you're going to have the application specific one or you're going to depend on the library standard and you have your own like your specification. You can split the problem into more pieces you have to manage from my point of view. Yeah, actually when you have a big program it's better to split it. The idea is painting a drag control. That's something that's actually missing is people say that you know Nome and Kaderi how can they work together but the free desktop there's a lot of standards that should work across applications with different frameworks. It's a good idea because you have small code that has a proprietary middleware and you have an OpenSC implementation so if you have the in the URL you have the password proprietary one you could have an application that would use the same URL using the OpenSC middleware. So it's not too hard code thing that's not necessary relevant to the URL. It's definitely interesting. But for me the best thing is not the drag control but the fact that you're going to reuse the old options specify a key file and a certificate file to read the URL and then act appropriately. So you don't really need obscure options, let's say because 11ID or something can specify this 11 URL. Another question is there a reference implementation actually implementing using the URLs in the development at least use the URLs because it needs to be very easily implemented and usable again. I have one question I'm not sure if it's really relevant to the topic but I just wonder if there's any access control in these URLs can you prevent other applications from accessing cryptographic tokens or actually tokens? Usually tokens are protected by a PIN or something. So it depends on the token how whether the driver will allow you to access or not. I don't know probably what we know better about how tokens will access the problem. Basically what the URL tries to do URL is a resource specified just point to the resource how the token actually protects resources of the token or implementations flipped outside of Pegasus even. Thank you. There are no more questions. No, thank you.