Mark, This looks good. I have a couple of comments below ...
> 2. Project Summary > 2.1. Project Description: > This project will add Elliptic-Curve Cryptography (ECC) to the > Solaris Encryption Framework. ECC will be available to kernel > and user-level consumers. > One potential kernel consumer is kernel SSL since TLS can use ECC cipher suites. > 3.6. How will you know when you are done?: > When we can use pkcs11 on Apache for ECC. > Does this mean this project will modify OpenSSL PKCS #11 engine to add the support for ECC mechanisms? You might want to test with Sun Java System web server too. > 4. Technical Description: > 4.1. Details: > The Solaris Crypto Framework has loadable software modules that > provides cryptographic algorithms for kernel consumers. These offer > algorithms such as AES and RSA. The framework also has a softtoken > library that implements algorithms for user-level consumers. This > project introduces a new module offering ECC. It also adds ECC to > the softtoken library. > > The low-level implemention of ECC that we will use was originally > developed by Sun Labs and subsequently given to NSS. Legal approval > to use this code under Mozilla Public License v. 1.1 has been > obtained. > > Supported PKCS#11 mechanisms are: CKM_EC_KEY_PAIR_GEN, CKM_ECDSA, > CKM_ECDSA_SHA1, and CKM_ECDH1_DERIVE. I assume this list is for the softtoken library. What mechanisms will the kernel ecc software provider support? Thanks, -Krishna > NSS implements 51 ECC curves, > all of which will be supported. They are: > > secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, > secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, secp384r1, > secp521r1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, > sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, > sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, > sect571r1, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, > c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, > c2pnb272w1, c2pnb304w1, c2tnb359v1, c2pnb368w1, c2tnb431r1, prime192v1, > prime192v2, prime192v3, prime256v1 > > 4.2. Bug/RFE Number(s): > 5066901 Offer the PKCS#11 Elliptic Curve based mechanisms in Solaris > 6562402 kernel software provider for Elliptic Curve mechanisms > > 4.3. In Scope: > > 4.4. Out of Scope: > > 4.5. Interfaces: > Changes to softtoken will not affect the interface to softtoken. > The only visible change will be four new PKCS#11 mechanisms that > are visible when the capabilities of the softtoken are queried. > The loadable module will introduce the following: > /kernel/crypto/ecc > /kernel/crypto/amd64/ecc > /kernel/crypto/sparcv9/ecc > >
