Can you please clarify relationship between methods of accessing private keys of Nitrokey PRO2 like:
OpenSC vs PKCS11 vs PGP ?
While I slightly understand what is OpenPGP Card specification and how it is implemented in Nitrokey Start (GNUK2) I am not sure how it is done in Nitrokey PRO2.
Are there two or three different methods of accessing keys from OpenSSH:
Using PKCS11 without OpenSC like (for Yubiko):
ssh -I XXX/libykcs11.so email@example.com
What is the syntax for Nitrokey to achieve the same task?
Or Nitrokey cannot work directly without OpenSC?
ssh -I opensc-pkcs11.so
Does OpenSC accesses PKCS11 too by itself?
Is RSA 4096 available via OpenSC?
What is the syntax for the same idea for Yubikey now? Or is it depricated for Yubikey?
I am not clear at all how GPG/PGP accesses the key.
Does GPG work only with OpenPGP card interface or with something else?
Is OpenPGP card available via PKCS11 or OpenSC or its own protocol?
Does GPG access keys via PKCS11 or OpenSC or some other interface?
Why it provides access to long RSA4096 keys where PKCS11 fails to do this from SSH?
Can OpenSSH use RSA4096 keys with PGP agent working in ssh-agent compatibility mode?
OpenSC is a set of software tools and libraries to work with smart cards, with the focus on smart cards with cryptographic capabilities. OpenSC facilitate the use of smart cards in security applications such as authentication, encryption and digital signatures. OpenSC implements the PKCS #15 standard and the PKCS #11 API.
So OpenSC implements PKCS11 API for usage from other programs? Then it could be named something like PKCS11 driver for hardware cryptography tokens?
OpenSC is not a special protocol or API by itself but rather just a open source implementation of PKCS 11 for some hardware tokens.
Therefore programs like Firefox use PKCS11 API implemented in OpenSC or other implementations like Yubikey libykcs11.so? There is no a specific need just for OpenSC, but for any PKCS 11 provider?
Where all PKCS11 providers are accounted and listed? Which utility can list all installed PKCS11 providers from some registry or config file on Linux? Or they are being accessed just by their path even from browsers?