On 10/9/07, Kent Yoder <[EMAIL PROTECTED]> wrote: > Sorry, I didn't look through each one. Code reuse is great, I just > don't see why writing to a new interface helps that.
I don't wish to offend, but have you implemented PKCS#11 code that works with several vendors' providers, smartcards (dynamic) and HSMs (static)? There are some challenges for example: 1. Asking for PIN only when required, but reuse session (key) between keys on the same token. 2. Handling session expiration, card removal insert without disconnect user applicative session (such as TLS). 3. Supporting multiple provider at the same time, allowing application to not care where key come from. 4. Asking the user to insert his token when private key operation is perform and token is not available so that applicative session will not disconnect (such as TLS). 5. Detecting the same token if it moved from one slot to the other slot. 6. Supporting working with several token (may be of different providers) at the same time. 7. Caching objects required for fast access, as reading attributes tends to be slow. 8. Detecting which certificate to use for a specific key, as there can be older certificate on tokens. 9. Handling slot events correctly, there are providers that does not support this, so needs to be pulled, there are ones that support but without events, and there are ones who support events. 10. Signature using Sign or SignVerify depending on key attributes, or failure in one. 11. Decrypt using Decrypt or Unwrap depending on key attributes, or failure in one. 12. Enforce session expiration if required by user. 13. Having OpenSSL engine for use of OpenSSL application. 14. Serialization support, so that a specific object can be found later on without token enumeration. 15. Direct object access without the need to enumerate token contents, as enumerating tends to be super slow. <I may forget some more issues> If the above do not imply using code reuse, I don't know what is. Best Regards, Alon Bar-Lev. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ eCryptfs-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel
