On Wed, 2009-07-08 at 15:36 -0500, Nicolas Williams wrote:
> On Wed, Jul 08, 2009 at 04:21:47PM -0400, Will Young wrote:
> > On Wed, 2009-07-08 at 14:25 -0500, Nicolas Williams wrote:
...
> >
> > A kmf/PKCS#11 hybrid module seems to be the only possibility aside from
> > OpenSSL or NSS that adequately covers the needed crypto operations and
> > certificate management operations.
>
> The nice thing about KMF is that it gives you a single interface to
> OpenSSL and NSS keystores.
>
> > But this combination also doesn't solve anything for all store types so
> > its is not a worthwhile immediate investment.
>
> I don't understand this last statement.
KMF gives nice capabilities for certificate operations, i.e. to
determine the trust of a cert given a store of any type. But it really
has crypto operations that are also geared towards certificate
management purposes. I.e. atomic since certificates are small, not so
many algorithms since no one wants an odd one for their certs.
So once one has done one's cert operations and is then ready to use the
key, one needs to drop to a specific underlying provider to do
operations xmlsec requires with the key. This means either an
implementation of crypto for each keystore type or key extraction and
the assumption that key extraction will always be allowed by the
non-default keystores.
-Will
