[openssl-dev] A new openssl engine
Matt Caswell
matt at openssl.org
Fri Jun 26 18:12:53 UTC 2015
On 26/06/15 17:36, Dmitry Belyavsky wrote:
> Dear Matt,
>
> On Fri, Jun 26, 2015 at 2:23 AM, Matt Caswell <matt at openssl.org
> <mailto:matt at openssl.org>> wrote:
>
>
>
> On 25/06/15 21:58, Viktor Dukhovni wrote:
> > On Thu, Jun 25, 2015 at 10:48:08PM +0200, Kurt Roeckx wrote:
> >
> >> On Thu, Jun 25, 2015 at 11:36:58PM +0300, Dmitry Belyavsky wrote:
> >>>
> >>> BTW, what does the OpenSSL Team plan regarding the GOST engine?
> >>
> >> I think some of us want to get rid of it, because it's rather
> >> crappy code.
> >
> > I think that if GOST is really going to be a supported set of
> > algorithms, then it should not be an engine, and should be integrated
> > properly, with robust well written and carefully reviewed code.
> >
> > The current engine is IMHO not a good long-term vehicle for providing
> > GOST support to OpenSSL users.
> >
>
> I don't see GOST being integrated as a first class citizen in the near
> future unless a member of the dev team volunteers to own it. So far I've
> not seen any evidence of that happening (although to be fair I've not
> asked the question until now!).
>
> In the absence of such an owner stepping forward, my preferred solution
> is to spin GOST out as a separately maintained engine - if we could find
> someone willing to take it on.
>
>
> It's not a problem to start mantaining the engine code outside the main
> OpenSSL tree.
>
> But comrehensive support of GOST requires much more:
> - TLS (the most messy)
> - pkcs12
> - OIDs for algs themselves and for some extensions used in Russia
> - some smime-related stuff
> etc
>
> All the enumerated above seems to be much more complicated and could
> hardly be supported separately from the main tree.
Yes. I agree there are some things that could not be taken out. I am not
proposing to remove those - I'm just talking about taking out the main
engine itself.
Matt
More information about the openssl-dev
mailing list