Menu
▾
▴
Re: [Opensc-devel] Adding libp11 (or its equivalent) to OpenSSL
|
From: David W. <dw...@in...> - 2016-02-29 08:25:18
|
On Fri, 2016-02-26 at 19:12 +0200, Alon Bar-Lev wrote: > > What you seek is actually NSS. > This won't happen, ever. > Even if it will happen, libp11 is not the right implementation of > doing that. Yeah, we don't want NSS. NSS has its own problems :) When I say we want to make PKCS#11 a first-class citizen in OpenSSL, I don't mean we want to rearchitect OpenSSL to be completely based around PKCS#11, as NSS is. I only mean that we want the PKCS#11 functionality (like that of libp11 or indeed pkcs11-helper) to be a *part* of OpenSSL's APIs. So that anyone using OpenSSL could reasonably be *expected* to support certificates/keys from PKCS#11 whenever they support using them from a file. > I have experience in working with openssl codebase and it won't be > extended to support such specific implementation. > There was the opencryptoki project, that was the closest one of doing > that without adding any code to openssl. The point here *is* to add code to OpenSSL. That's why we have OpenSSL developers on Cc, who are interested in making this happen. Your ideas on what the OpenSSL API should look like would be very much welcomed. You're absolutely right that it shouldn't turn into NSS, and I have already been talking to Rich about the keystore. Any more insight, either in advance or as I proceed with trying to put something together, would be very much appreciated; thanks! Just as importantly, please could you agree to the use of your code in libp11 under a 3-clause BSD licence? Whether or not the final OpenSSL 1.2 API actually looks like libp11 or not, I'm fairly sure there *will* be a lot of opportunity for code re-use, and the permission to relicense it would be very much appreciated. Thanks. -- dwmw2 |
