On 8/23/11 11:46 , Ludovic Rousseau wrote: > 2011/8/23 Martin Paljak <mar...@martinpaljak.net>: >>>> Is there any way to have OpenSC build against some crypto >>>> libraries other than OpenSSL (preferably licensed in >>>> GPL-compatible ways) so we could link it to readline without >>>> violating one license or the other? >> Two options: - decide to move to some other soft-crypto >> implementation and reap out OpenSSL (would be lovely) - create a >> small "softcrypto" mega-interface and allow to plug in different >> softcrypto implementations (something like cURL did) gradually. >> This would allow to build without OpenSSL in Debian and such and >> provide a way to still make use of drivers which might not have a >> developer or somebody to test any changes. > > Apple has deprecated OpenSSL in Lion. OpenSSL is still available > but will be removed in a later version. > > See > http://ludovicrousseau.blogspot.com/2011/08/mac-os-x-lion-and-openssl.html > > > I think the correct option for OpenSC (if we stay with OpenSSL) is > to statically link with OpenSSL (as I imagine is also done on > Windows).
From what I learned from the WWDC slides [1] (need to be signed in to ADC before opening the link) the reason for deprecating OpenSSL as an "API from platform" was troubles with guaranteeing ABI-compatibility (kitchen-sink API?) and the need to have an up to date FIPS compatible platform (OpenSSL is undergoing a new FIPS validation at the moment, AFAIK, but still only for x86). OpenSSL is in that matter a defacto industry "standard", but far from being perfect for many use cases. But this only affects OpenSC on Mac OS X (which, in theory, should have the same problem with OpenSSL and license incompatibility as on Linux). Static linking is not the problem nor the solution on Linux (package dependencies should remove the ABI problem) For OS X, the main question is not what/how to use instead of OpenSSL, but what needs to be implemented instead of Tokend/CDSA to provide support for native applications. FYI: Safari 5.1 on 10.6 crashes with OpenSC.tokend. Or any tokend in that matter. Studying alternatives for OpenSSL would be a good idea nevertheless, creating a 15th API [2] for software crypto would also be sweet, why not having gateways to CommonCrypto/Transform on Mac (or whatever else they figure out next) and/or CNG/CryptoAPI on Windows in addition to a new chosen LGPL-compatible default platform as well as existing OpenSSL. Learning from cURL experience [3] would be useful as well. Best, Martin [1] http://adcdownload.apple.com/wwdc_2011/adc_on_itunes__wwdc11_sessions__pdf/212_nextgeneration_cryptographic_services.pdf [2] http://xkcd.com/927/ [3] http://curl.haxx.se/docs/ssl-compared.html -- @MartinPaljak +3725156495
signature.asc
Description: OpenPGP digital signature
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
