[bind10-dev] cryptolink design
Francis Dupont
fdupont at isc.org
Tue Jul 17 00:00:54 UTC 2012
> At Mon, 02 Jul 2012 15:24:09 +0000,
> Francis Dupont <fdupont at isc.org> wrote:
>
> > I was looking at the cryptolink design: IMHO it falled into a common
> > error by providing only one update function: in PKCS#11 you have:
> > - SignInit() (which takes the key)
> > - SignUpdate() and SignFinal()
> > - or Sign() which does the same than update*+final in one shot,
> > and the same for Verify. So there is not one update() but two update()
> > functions, one in each "direction". Of course you can go from 2 updates
> > to 1, but not the opposite.
>
> You mean we need different update functions for sign and verify?
=> yes, even in many cases they do the same thing.
> I don't have technical background for it, but the underlying Botan
> library doesn't seem to differentiate these:
=> Botan != the universe
> http://botan.randombit.net/doxygen/classBotan_1_1HMAC.html
> so, as long as our intended usage of this wrapper library is for Botan
> there may not be a reasonable way to support it.
=> so the question is bind10 is bound to Botan for ever or we keep
a window open for PKCS#11? BTW bind9 is (was!) bound to OpenSSL and
at the end it was clearly a bad idea.
Regards
Francis Dupont <fdupont at isc.org>
More information about the bind10-dev
mailing list