Hi Alon, > > Sorry, I didn't look through each one. Code reuse is great, I just > > don't see why writing to a new interface helps that. > I don't wish to offend, but have you implemented PKCS#11 code that
None taken! Please don't take this thread personally. I hope you see my distinction in my last mail. > works with several vendors' providers, smartcards (dynamic) and HSMs > (static)? > > There are some challenges for example: > 1. Asking for PIN only when required, but reuse session (key) between > keys on the same token. > 2. Handling session expiration, card removal insert without disconnect > user applicative session (such as TLS). > 3. Supporting multiple provider at the same time, allowing application > to not care where key come from. > 4. Asking the user to insert his token when private key operation is > perform and token is not available so that applicative session will > not disconnect (such as TLS). > 5. Detecting the same token if it moved from one slot to the other slot. > 6. Supporting working with several token (may be of different > providers) at the same time. > 7. Caching objects required for fast access, as reading attributes > tends to be slow. > 8. Detecting which certificate to use for a specific key, as there can > be older certificate on tokens. > 9. Handling slot events correctly, there are providers that does not > support this, so needs to be pulled, there are ones that support but > without events, and there are ones who support events. > 10. Signature using Sign or SignVerify depending on key attributes, or > failure in one. > 11. Decrypt using Decrypt or Unwrap depending on key attributes, or > failure in one. > 12. Enforce session expiration if required by user. > 13. Having OpenSSL engine for use of OpenSSL application. > 14. Serialization support, so that a specific object can be found > later on without token enumeration. > 15. Direct object access without the need to enumerate token contents, > as enumerating tends to be super slow. > > <I may forget some more issues> > > If the above do not imply using code reuse, I don't know what is. It certainly does, but none of it invalidates my point. Kent -- Kent Yoder IBM LTC Security Dev. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ eCryptfs-devel mailing list eCryptfs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel
