[bind10-dev] crypto API
Francis Dupont
fdupont at isc.org
Sat Feb 27 08:43:48 UTC 2010
> > => if it is so obvious what this says about public DNSSEC key vs
> > private DNSSEC key?
>
> In what context? That is, what HAS the key, or IS the key here?
=> the private key includes the public key, so inherintance or embedding?
> > => you didn't understand my idea: with other words IMHO it is better to
> > adapt existing crypto libs to what BIND 10 needs than the opposite,
> > so the API should be designed from the need, not the offer.
> > BTW this should guarantee to not be locked to a particular library
> > (i.e., not reproduce the BIND 9 and OpenSSL issue).
>
> I think we should use softhsm for all crypto, and not touch openssl. Ever.
=> by softhsm do you mean PKCS#11 or Botan? To use a software token seems
to be a strange idea... And BTW if OpenSSL is questionable for its ASN.1
support (or lack of support :-) its implementation of low level crypto
is recognized to be the good and fast.
Francis Dupont <fdupont at isc.org>
More information about the bind10-dev
mailing list