Krishna Yenduri wrote: > Darren J Moffat wrote: >> Krishna Yenduri wrote: >>> Mark Powers wrote: >>>>>> 3.6. How will you know when you are done?: >>>>>> When we can use pkcs11 on Apache for ECC. >>>>>> >>>>> Does this mean this project will modify OpenSSL PKCS #11 engine to >>>>> add the support for ECC mechanisms? You might want to test with >>>>> Sun Java >>>>> System web server too. >>>> Perhaps I'm naive, but I thought by offering ECC mechanisms in >>>> libpkcs11 >>>> and telling the webserver to use pkcs11, that everything would work. >>> >>> No. It does not. >>> >>> Apache web server depends on the OpenSSL PKCS #11 engine to be able >>> to use libpkcs11. This means we have to extend the engine for the new >>> ECC mechanisms, for Apache to work. >> >> Updating the OpenSSL "pkcs11" ENGINE is a separate project by a >> sparate project team- there are sensitive legal issues with some of >> the OpenSSL ECC code that doesn't impact this case since it uses code >> from NSS. > > Then section 3.6 needs to be changed. And the above dependency/issue > needs to be called out. > >> For Sun Java System Web Server I believe it already supports ECC keys >> and certs via NSS and since NSS can use the Solaris libpkcs11 it can >> use this case's work (though there is little point since it would >> likely end up being no faster since it is the same software >> implementation).
s/Apache/Sun Java System Web Server/ All I want to do is to use ECC for something useful. I could "call it done" when all test vectors pass, but I thought I could take it one step further and try a web server in addition to test vectors. > > Yes. One would typically only do this if there is hardware > acceleration available. The software implementation > helps as a fallback in this case. For example, if the hardware > returned a CRYPTO_BUSY error code, metaslot > will use softtoken. > > -Krishna > > > >
