It seems we have touched a nerve !!! Love your passion, but Wouter's excellent work in writing to the windows CAPI interface (which is simply an interface) puts all of us in a position to replace the underlying Crypto Service Provider (i.e. CSP) with for example a smartcard vendor's CSP accessing a secure hardware token or smartcard, etc ...
Similarly with the NSS implementation, we are now able substitute PKCS11 providers and again leverage alternate crypto engines and Key storage facilities. Please tell me how that would be done in an OpenSSL environment with its terribly "thin" key storage management ? Ed -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Igor Zlatkovic Sent: September 20, 2003 11:32 AM To: Aleksey Sanin; [EMAIL PROTECTED] Hi there, > Probably in the future we should make mscrypto the default crypto > engine on Windows (Igor?). No, but you heard that allready. :-) There is a difference between security and obscurity. All algorithms are known, so are most implementations. If you won't show me your code so I see what it does, then I must assume that you have something to hide and will compromise my secrets; and I will keep an watchful eye on you, even if I never meet you again. Cryptography exists for one, and only one, reason: because people don't trust each other. If I don't trust you enough to let you read my mail, but I blindly trust an obscure encryption system you have made, then I am a simple fool. The point of it all: Cryptography software is either open source, or non-existent, as far I am concerned. Everything else can be proprietary, but crypto cannot. That simply defeats the very reason of its existence. Set mscrypto as the default in xmlsec and what advantage over msxml would remain? > Also it would be nice to include all the supported xmlsec-<crypto> > libraries in Windows binaries (again, Igor? :) ) For the love of completeness, yes. For myself, I would like to leave out everything that uses a proprietary system beneath. For the reasons described above, I would not encourage people to use it by distributing the binary. However, I should have spoken that earlier, before the bloody thing was made. Leaving it out now is a spit in the face to everyone who contributed to it. I am not happy about it, but the binary will have all supported bits. Ciao, Igor _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
