On Fri, Sep 19, 2003 at 01:46:13PM -0400, Geoff Thorpe wrote: > On September 19, 2003 01:16 pm, Colin Watson wrote: > > On Wed, Sep 17, 2003 at 10:23:46AM -0400, Geoff Thorpe wrote: > > > In other words, I think the falling back to software should be > > > configurable and should require the blessing of the user or coder. At > > > one level, you can expose a control command in the ENGINE to > > > configure this, and you could also support an environment variable > > > check for "default" behaviour so that precompiled and unconfigurable > > > apps can still be "configured" by the user. > > > > OK, I see the mechanism. Have you any preferences for the environment > > variable name (or names - perhaps RSA and modexp fallback should be > > configurable separately)? > > Something starting with "OPENSSL_NCIPHER" would make sense from a > namespacing point of view.
I've gone for OPENSSL_NCIPHER_FALLBACK=off, which just turns off software fallback altogether. The new ENGINE control commands are more granular. > Beyond that, it's up to you and what you want your hardware customers > to see - if it's namespaced unintrusively it doesn't really affect > anyone except you and them. My only "requirement" here (I hesitate to > use such a draconian word, I'm more flexible than that, really :-) is > that openssl's behaviour is to not facilitate smoke and mirrors behind > the back of the user or the application - hence making sure you don't > "transparently" change the nature of operations without someone or > something asking you to. The rest is between you and users of ncipher > hardware. Hm. After more thought, I observe that users who don't want software fallback should be using hardware-protected keys, and hwcrhk will not offer software fallback in those cases, since the key material isn't available in plaintext outside the hardware module. Only software keys can use fallback, and it seems quite reasonable for them to do so. Based on that, do you still think that the change in behaviour is serious, as opposed to simply a bug-fix/enhancement? There's certainly no change in security boundaries involved. > NB: As/when you've got another version of the patch ready, please just > add it to the ticket and I should get notified. I've submitted the patch with software fallback enabled (for software keys only, since nothing else is possible) by default. However, if you would still prefer it the other way round, I won't make that stand in the way of having the facility available. Thanks, -- Colin Watson [EMAIL PROTECTED] Software Engineer nCipher Corporation Limited ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
