[openssl-dev] A new openssl engine
David Woodhouse
dwmw2 at infradead.org
Thu Jun 25 16:03:29 UTC 2015
On Thu, 2015-06-25 at 15:45 +0000, Viktor Dukhovni wrote:
> On Thu, Jun 25, 2015 at 04:34:34PM +0100, Matt Caswell wrote:
>
> > Whether such a patch would be accepted though is an entirely
> > different
> > thing. Personally I would prefer new engines to be maintained
> > outside of
> > the OpenSSL tree. Inclusion in the OpenSSL tree implies that the
> > OpenSSL
> > dev team will support the code. That becomes very
> > difficult/impossible
> > if we do not have access to the hardware.
>
> In addition, in order to not dig the hole we're in deeper, the
> contributed code would have to be high quality code. That is,
> clearly written, sensibly commented and well documented.
>
> All in all, it seems unlikely that new engines will become part of
> the OpenSSL official distribution. If anything, some existing
> engines are likely to be retired.
FWIW I hope that a PKCS#11 engine might be an exception to that rule.
Note that I say "a" PKCS#11 engine not necessarily "the" PKCS#11
engine, given the comments about code quality.
Or rather than an engine, merging a suitably licensed version of
something like libp11 into crypto/p11/ and making PKCS#11 a first-class
citizen in OpenSSL would perhaps be a better option...
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150625/0e5b26a0/attachment.bin>
More information about the openssl-dev
mailing list