[crypto-discuss] Elliptic-Curve Cryptography for Solaris [PSARC/2007/446 Self Review]

[Mark Powers]

Krishna Yenduri wrote:
> Darren J Moffat wrote:
>> Krishna Yenduri wrote:
>>> Mark Powers wrote:
>>>>>>    3.6. How will you know when you are done?:
>>>>>>     When we can use pkcs11 on Apache for ECC.
>>>>>>   
>>>>> Does this mean this project will modify OpenSSL PKCS #11 engine to
>>>>> add the support for ECC mechanisms? You might want to test with 
>>>>> Sun Java
>>>>> System web server too.
>>>> Perhaps I'm naive, but I thought by offering ECC mechanisms in 
>>>> libpkcs11
>>>> and telling the webserver to use pkcs11, that everything would work.
>>>
>>>  No. It does not.
>>>  
>>>  Apache web server depends on the OpenSSL PKCS #11 engine to be able
>>>  to use libpkcs11. This means we have to extend the engine for the new
>>>  ECC mechanisms, for Apache to work.
>>
>> Updating the OpenSSL "pkcs11" ENGINE is a separate project by a 
>> sparate project team- there are sensitive legal issues with some of 
>> the OpenSSL ECC code that doesn't impact this case since it uses code 
>> from NSS.
>
> Then section 3.6 needs to be changed. And the above dependency/issue 
> needs to be called out.
>
>> For Sun Java System Web Server I believe it already supports ECC keys 
>> and certs via NSS and since NSS can use the Solaris libpkcs11 it can 
>> use this case's work (though there is little point since it would 
>> likely end up being no faster since it is the same software 
>> implementation).

s/Apache/Sun Java System Web Server/

All I want to do is to use ECC for something useful. I could "call it done"
when all test vectors pass, but I thought I could take it one step further
and try a web server in addition to test vectors.


>
> Yes. One would typically only do this if there is hardware 
> acceleration available. The software implementation
> helps as a fallback in this case. For example, if the hardware 
> returned a CRYPTO_BUSY error code, metaslot
> will use softtoken.
>
> -Krishna
>
>
>
>