[xmlsec] xmlsec-nss patches from Sun( 2003-07-22 )

Andrew Fan Andrew.Fan@sun.com
Wed, 23 Jul 2003 14:37:10 +0800


Tejkumar Arora wrote:

>Andrew Fan Wrote:
>
> >>Why I add the new interfaces:
> >>1. NSS' function "PK11_GetBestSlot ", which will load all of the
> >>internal built-in slots or all of the actived pkcs11 module's slots;
> >>2. Some time, end user hopes that a certain crypto operation act in a
> >>certain crypto device, especially in multi-crypto-devices environment.
> >>3. Some time, a key generated from a certain slot, it only work in >>that
> >>slot( such as RSA private key ). PK11_GetBestSlot can not ensure this.
> >>In the case, end user can assign the specific slot with the new 
> >interface.
>
>
>Aleksey Sanin wrote:
>
> > Well, I am not sure that "GetBestSlot" should be replaced on the xmlsec
> > level. It seems to me that this is crypto library (NSS) job. I wonder
> > what Tej
> > thinks about that.
>
>I'm not sure GetBestSlot needs to be replaced at all.
>I recall we had a long discussion about your use case scenarios
>Andrew, and my conclusion was that nothing needed to change.
>
>On what basis will an application decide to use a slot
>that is smarter than what PK11_GetBestSlot can do?. Can you
>give a detailed use case scenario?
>
>PK11_GetBestSlot is advisory. It is the crypto library's view
>of the best slot for a cryptographic operation. It is not a
>good idea to defeat that by creating your own.
>
>If it turns out that a private key is on one slot, and the
>data is in another, NSS automatically moves the key for you
>(if possible), so if you're worried about this situation, then
>it is already handled for you.
>  
>
I think you'll get some cases from my pre-mail about this topic. My 
position is that "GetBestSlot" is too smart to bind to a particular 
devices, so it is not a loyalist. Does he want a smart function or a 
loyal function, a user should has decision-making right. xmlSec is a 
toolkit, it'd better doesn't make the decision for end user. In our 
project, there are cases that we must active more than one crypto 
devices and make them work together at the same time, one is a smart 
card, the others are key generation center. Smart card is used for 
authentication and authorization, key generation center is used for 
symmetric key generation and backup, some times they should work 
together at the same time. And I do not want to initialize xmlSec more 
than once and I can not sometimes. If "GetBestSlot" used, I have to 
check whether it is the proper devices, if not, "GetBestSlot" again and 
check again( However, xmlSec internally can not check that ). In 
practical environment, every crypto device has its own usage, although 
it do not fully brought into service. The smarter is not the better, I 
think.

>
>-Tej
>
> >
> > Anyway, it would be great if you prepare a full diff. Much more simple to
> > understand what is going on and how you are going to use these functions.
> > Also I would appreciate if you can put comments with function
> > description.
> > I use automated API docs generation tools and this is very helpfull.
> > Look at any xmlsec source file for examples.
> >
> >
> > Thanks,
> > Aleksey
> >
> > >> Hi, Andrew!
> > >>
> > >> I got the new files but I think your forgot to attach diffs for
> > >> existing files.
> > >> Because right now these are just standalone files and nobody uses
> > >> them :)
> > >
> > >
> > > I want to patch the branch step by step. If you agree that the new
> > > interfaces can take the place of "PK11_GetBestSlot" in other files.
> > > I'll modify them like pkikeys.c.  Because they're standalone files, so
> > > I think there is no diffs. :-)
> > >
> > > Today, I'll patch other files and I'll provide the diffs. :-)
> >
>
>
>_______________________________________________
>xmlsec mailing list
>xmlsec@aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
>  
>