Sanjay Agrawal wrote: > Thanks all. This has been very helpful. > > One more question: > Using SCA6000 through SCF wouldn't void the FIPS compliance that SCA6000 > provides. I am aware of the FIPS/SCF project but am not sure if current > SCF's non compliance with FIPS would affect the overall compliance. I > guess if SCF is purely pass through with the "crypto boundary" at > SCA6000, SCF shouldn't impact anything.
Yes, it's all about the crypto boundary. If only the algorithms and keystore are used on the SCA6000, it would be in compliance. Tony > > Thanks, > - sanjay > > Darren J Moffat wrote: >> Sanjay Agrawal wrote: >>> Let me see if I get this right: >>> 1) NSS provides a wrapper for PKCS11 which means any PKCS11 provider >>> can "plug-in" into NSS libraries. >> correct >> >>> 2) SCF is also a wrapper ( actually much more than a wrapper but I am >>> using the term to draw a parallel between NSS and SCF) for PKCS11. >> correct >> >>> 3) NSS does NOT use SCF. It is a standalone library with its own >>> plugin modules. So it can't use SCF enabled cryptos. For SCA6000 h/w >>> acceleration to work, SCA6000 needs to provide PKCS11 interfaces that >>> directly plugin into NSS. >> NSS does not use the Solaris libpkcs11 (PLEASE don't use the TLA SCF >> it mapps to far to many things in Solaris and libscf has nothing to do >> with the crypto framework) by default but can be configured to do so >> using modutil(1). >> >> For Solaris hardware crypto like the SCA-6000 plugins in to the kernel >> part of the crypto framework and appears in userland via >> /usr/lib/libpkcs11.so.1 >> >> So the SCA-6000 CAN be accessed via NSS using PKCS#11 just like the >> UltraSPARC T1/T2 on chip crypto. >> > > _______________________________________________ > crypto-discuss mailing list > crypto-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/crypto-discuss
