On Mon, Jun 20, 2011 at 3:01 PM, Novikov, Lev <[email protected]> wrote: > On 2011-06-19 12:38, Peter Gutmann wrote: >> Just one word really: Why? > > There is an existing class of devices and environments (e.g., military > and diplomatic communications) which have particular requirements that > are hard to retrofit into existing crypto APIs (i.e. the logical models > are substantially different). > > For example, many of these devices operate in a manner such that the > results of cryptographic operations are not returned to program that > initiate the operation--as they are in existing crypto APIs. Rather, > the request starts in one security domain, is executed by the crypto > (which is on the border between two domains), and the result emanates in > another domain.
The GSS-API has been growing extensions to deal with these situations by exposing more information to the application. There's also some extensions by which to specify policies/profiles to apply. Creating a whole *new* API to layer above the GSS-API would be OK IFF the new API were effectively a simplified profile of the GSS-API. Nico -- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
