Menu
▾
▴
Re: [Opensc-devel] Adding libp11 (or its equivalent) to OpenSSL
|
From: Ludovic R. <lud...@gm...> - 2016-02-26 18:13:59
|
2016-02-26 15:19 GMT+01:00 David Woodhouse <dw...@in...>: > It would be really useful if OpenSSL *included* support for PKCS#11 as > a first class citizen. > > This would mean that it could be natively incorporated into higher > level APIs such as SSL_CTX_use_certificate() and friends. Basically any > API that can take a filename to reference a certificate, should also be > able take a RFC7512 PKCS#11 URI. > > This would also allow us to use a coherent trust database from PKCS#11, > which solves the problem of which *purposes* we trust each CA for, > unlike the existing flat-file solutions. > > And applications would no longer need to jump through additional hoops > and have additional dependencies to get PKCS#11 support; we could make > it largely Just Work™, like it does for example with GnuTLS. > > > > The code in libp11 is basically written to be OpenSSL code. If you > dropped it into the crypto/pkcs11 directory of OpenSSL precisely as it > stands, it wouldn't look out of place. > > I propose — as the starting point of a plan which will surely be > modified by the time we conclude this thread — that we do so. > > The biggest barrier to this, of course, is the licence. For reasons > which are lost in the mists of time, libp11 is licensed under the > LGPLv2, and is not compatible with the OpenSSL licence. > > Therefore, I propose that we relicense the libp11 project under a > standard 3-clause BSD licence. > OK for me. I don't even remember what code I wrote for libp11 :-) Bye -- Dr. Ludovic Rousseau |
