[openssl-dev] A new openssl engine
Dmitry Belyavsky
beldmit at gmail.com
Fri Jun 26 16:36:19 UTC 2015
Dear Matt,
On Fri, Jun 26, 2015 at 2:23 AM, Matt Caswell <matt at openssl.org> wrote:
>
>
> On 25/06/15 21:58, Viktor Dukhovni wrote:
> > On Thu, Jun 25, 2015 at 10:48:08PM +0200, Kurt Roeckx wrote:
> >
> >> On Thu, Jun 25, 2015 at 11:36:58PM +0300, Dmitry Belyavsky wrote:
> >>>
> >>> BTW, what does the OpenSSL Team plan regarding the GOST engine?
> >>
> >> I think some of us want to get rid of it, because it's rather
> >> crappy code.
> >
> > I think that if GOST is really going to be a supported set of
> > algorithms, then it should not be an engine, and should be integrated
> > properly, with robust well written and carefully reviewed code.
> >
> > The current engine is IMHO not a good long-term vehicle for providing
> > GOST support to OpenSSL users.
> >
>
> I don't see GOST being integrated as a first class citizen in the near
> future unless a member of the dev team volunteers to own it. So far I've
> not seen any evidence of that happening (although to be fair I've not
> asked the question until now!).
>
> In the absence of such an owner stepping forward, my preferred solution
> is to spin GOST out as a separately maintained engine - if we could find
> someone willing to take it on.
>
It's not a problem to start mantaining the engine code outside the main
OpenSSL tree.
But comrehensive support of GOST requires much more:
- TLS (the most messy)
- pkcs12
- OIDs for algs themselves and for some extensions used in Russia
- some smime-related stuff
etc
All the enumerated above seems to be much more complicated and could hardly
be supported separately from the main tree.
Thank you!
--
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150626/2a99354e/attachment.html>
More information about the openssl-dev
mailing list