[crypto-discuss] Elliptic-Curve Cryptography for Solaris [PSARC/2007/446 Self Review]
Krishna Yenduri
bhargava.yenduri at sun.com
Thu Aug 2 12:01:28 PDT 2007
Mark Powers wrote:
> Krishna Yenduri wrote:
>> Darren J Moffat wrote:
>>> Krishna Yenduri wrote:
>>>> Mark Powers wrote:
>>>>>>> 3.6. How will you know when you are done?:
>>>>>>> When we can use pkcs11 on Apache for ECC.
>>>>>>>
>>>>>> Does this mean this project will modify OpenSSL PKCS #11 engine to
>>>>>> add the support for ECC mechanisms? You might want to test with
>>>>>> Sun Java
>>>>>> System web server too.
>>>>> Perhaps I'm naive, but I thought by offering ECC mechanisms in
>>>>> libpkcs11
>>>>> and telling the webserver to use pkcs11, that everything would work.
>>>>
>>>> No. It does not.
>>>>
>>>> Apache web server depends on the OpenSSL PKCS #11 engine to be able
>>>> to use libpkcs11. This means we have to extend the engine for the new
>>>> ECC mechanisms, for Apache to work.
>>>
>>> Updating the OpenSSL "pkcs11" ENGINE is a separate project by a
>>> sparate project team- there are sensitive legal issues with some of
>>> the OpenSSL ECC code that doesn't impact this case since it uses
>>> code from NSS.
>>
>> Then section 3.6 needs to be changed. And the above dependency/issue
>> needs to be called out.
>>
>>> For Sun Java System Web Server I believe it already supports ECC
>>> keys and certs via NSS and since NSS can use the Solaris libpkcs11
>>> it can use this case's work (though there is little point since it
>>> would likely end up being no faster since it is the same software
>>> implementation).
>
> s/Apache/Sun Java System Web Server/
>
> All I want to do is to use ECC for something useful. I could "call it
> done"
> when all test vectors pass, but I thought I could take it one step
> further
> and try a web server in addition to test vectors.
And I agree that is a good goal because there could be interoperability
issues
that show up.
-Krishna
More information about the opensolaris-arc
mailing list