On 31/01/14 18:28, Ryan Sleevi wrote:
On Fri, January 31, 2014 9:18 am, Alan Braggins wrote:
On 31/01/14 10:24, Julien Pierre wrote:
On 1/27/2014 10:28, Kathleen Wilson wrote:
Draft Design Doc posted by Ryan Sleevi regarding Chrome migrating from
NSS to OpenSSL:
https://docs.google.com/document/d/1ML11ZyyMpnAr6clIAwWrXD53pQgNR-DppMYwt9XvE6s/edit?pli=1
Strange that "PKCS#11 support" is listed as a "con" for NSS .
It is at least listed under "pro" as well.... (Having ENGINE_pkcs11
listed under both for OpenSSL might make sense too.)
It was not accidental that it was listed under "Con", nor do I see
ENGINE_pkcs11 as a "Pro"
As part of its fundamental design, NSS performs all operations using
PKCS#11 tokens. Even the internal cryptographic implementation is exposed
as a PKCS#11 token - softoken.
That conflates two different things though.
Having support for PKCS#11 tokens at all is a pro, even if one
irrelevant to the vast majority of users.
Having a design that shoe-horns all cryptographic operations
through a PKCS#11 token layer has the disadvantages you describe,
but isn't really the same thing as "PKCS#11 support".
It's good for interop with smart cards.
Which is what it was designed for.....
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
