[bind10-dev] [sprint planning] estimate result discussion for sprint ending 2013-03-19

Jelte Jansen jelte at isc.org
Tue Mar 5 13:47:58 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/05/2013 12:20 PM, Carsten Strotmann wrote:
> 
> If I understand correctly, Francis Dupont proposed a plug-able
> PKCS#11 interface where the actual crypto "engine" (Botan, OpenSSL,
> HSM) can be changed. That would be a very flexible solution if that
> can be done in a way that is not too complex (as complexity hurts
> security).
> 

FYI, this has in fact been one of the reasons to choose Botan so far;
the idea was that in the end we'd only use a PKCS#11 interface instead
of any 'raw' crypto library, and 'plug in' for instance SoftHSM as the
software default (so that we'd only have one code path for our crypto
calls, and not several depending on what is being used). But before we
got to that point we needed something to do the relatively few
cryptographic operations we use now.

We then chose Botan for a couple of reasons;
- - SoftHSM used Botan (AFAIK plans are to make it work with several
backends as well but I am not fully up-to-date on current
development), so if we did end up using SoftHSM the indirect
dependency pain wouldn't be as much
- - OpenSSL was especially annoying regarding PKCS#11
- - Diversity is indeed good

Of course, there were a number of things we (or at least I) did not
fully realize at that point;
- - Python uses, and depends on, openssl (not sure how hard it would be
to have python but not necessarily openssl)
- - The chicken-egg problem with botan is a bit bigger than I had
anticipated
- - I had figured we'd be well past the pkcs11 part by now.

Now in principle we did put all the actual backend calls in a separate
unit, and in theory most crypto systems are pretty much alike, so TBH
i don't think replacing it would be insanely hard. So I was almost
convinced we should 'just' move to OpenSSL. I did not expect pushback
on that :) Either way I still think the long-term goal should be the
pkcs#11 approach, with transparent software implementation for those
that just want software support (i.e. almost everyone).

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlE1944ACgkQ4nZCKsdOncU87ACfZpX4o//0Eh5ZGajWptjh71Nc
eUYAoJPxIRTq3llStVKV/YlErpw8sHoF
=DpdS
-----END PGP SIGNATURE-----

More information about the bind10-dev mailing list