[crypto-discuss] Elliptic-Curve Cryptography for Solaris [PSARC/2007/446 Self Review]
Krishna Yenduri
bhargava.yenduri at sun.com
Thu Aug 2 11:29:05 PDT 2007
Darren J Moffat wrote:
> Krishna Yenduri wrote:
>> Mark Powers wrote:
>>>>> 3.6. How will you know when you are done?:
>>>>> When we can use pkcs11 on Apache for ECC.
>>>>>
>>>> Does this mean this project will modify OpenSSL PKCS #11 engine to
>>>> add the support for ECC mechanisms? You might want to test with Sun
>>>> Java
>>>> System web server too.
>>> Perhaps I'm naive, but I thought by offering ECC mechanisms in
>>> libpkcs11
>>> and telling the webserver to use pkcs11, that everything would work.
>>
>> No. It does not.
>>
>> Apache web server depends on the OpenSSL PKCS #11 engine to be able
>> to use libpkcs11. This means we have to extend the engine for the new
>> ECC mechanisms, for Apache to work.
>
> Updating the OpenSSL "pkcs11" ENGINE is a separate project by a
> sparate project team- there are sensitive legal issues with some of
> the OpenSSL ECC code that doesn't impact this case since it uses code
> from NSS.
Then section 3.6 needs to be changed. And the above dependency/issue
needs to be called out.
> For Sun Java System Web Server I believe it already supports ECC keys
> and certs via NSS and since NSS can use the Solaris libpkcs11 it can
> use this case's work (though there is little point since it would
> likely end up being no faster since it is the same software
> implementation).
Yes. One would typically only do this if there is hardware acceleration
available. The software implementation
helps as a fallback in this case. For example, if the hardware returned
a CRYPTO_BUSY error code, metaslot
will use softtoken.
-Krishna
More information about the opensolaris-arc
mailing list