Mark Powers wrote: > Krishna Yenduri wrote: >> Darren J Moffat wrote: >>> Krishna Yenduri wrote: >>>> Mark Powers wrote: >>>>>>> 3.6. How will you know when you are done?: >>>>>>> When we can use pkcs11 on Apache for ECC. >>>>>>> >>>>>> Does this mean this project will modify OpenSSL PKCS #11 engine to >>>>>> add the support for ECC mechanisms? You might want to test with >>>>>> Sun Java >>>>>> System web server too. >>>>> Perhaps I'm naive, but I thought by offering ECC mechanisms in >>>>> libpkcs11 >>>>> and telling the webserver to use pkcs11, that everything would work. >>>> >>>> No. It does not. >>>> >>>> Apache web server depends on the OpenSSL PKCS #11 engine to be able >>>> to use libpkcs11. This means we have to extend the engine for the new >>>> ECC mechanisms, for Apache to work. >>> >>> Updating the OpenSSL "pkcs11" ENGINE is a separate project by a >>> sparate project team- there are sensitive legal issues with some of >>> the OpenSSL ECC code that doesn't impact this case since it uses >>> code from NSS. >> >> Then section 3.6 needs to be changed. And the above dependency/issue >> needs to be called out. >> >>> For Sun Java System Web Server I believe it already supports ECC >>> keys and certs via NSS and since NSS can use the Solaris libpkcs11 >>> it can use this case's work (though there is little point since it >>> would likely end up being no faster since it is the same software >>> implementation). > > s/Apache/Sun Java System Web Server/ > > All I want to do is to use ECC for something useful. I could "call it > done" > when all test vectors pass, but I thought I could take it one step > further > and try a web server in addition to test vectors.
And I agree that is a good goal because there could be interoperability issues that show up. -Krishna
