Hi Alon, > I will not rewrite low level PKCS#11 code outside the pkcs11-helper > library, this will be unwise, unprofessional, unmaintainable and > unsupported, especially if the reason is political one.
As useful as pkcs11-helper may be, PKCS#11 is the industry standard API and ecryptfs must support it eventually. Most importantly its the interface through which the Java Cryptography Extension accesses the hardware, which is for us the most important consumer. > What I suggest is for you to support this configuration, and see if > the large vendors use --enable-pkcs11. If they don't, you lose nothing > for now, as you did not intend to have PKCS#11 so soon anyway, right? This would be trouble -- we wouldn't want different distros shipping different ecryptfs utils packages with the same options that did different things when one day we ship a module that talks pure PKCS#11. > Then I and other users (if you don't want to be part of it), may > discuss the inclusion of the feature with the large vendors and get > their formal response. At least in the meantime many other users will You're basically trying to take on the world here... :-) > enjoy the feature and provide valuable feedback. After a while if and > when you decide to implement your own PKCS#11 key module, you do that > *REPLACING* the former one, as there is no reason keeping both > implementation around. But at least the efforts of making the I don't see pkcs11-helper and PKCS#11 being mutually exclusive by any means. The pki modules so far have been named for the interface that they interact with, and pkcs11-helper is the interface, not PKCS#11. If other packages use pkcs11-helper they must find it useful, so shipping it in the utils package should be an option. But doing things like pulling an RSA modulus out of a pkcs11 data store and encrypting with it using OpenSSL is not going to be acceptable for some vendors. Kent -- Kent Yoder IBM LTC Security Dev. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ eCryptfs-devel mailing list eCryptfs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel
