[xmlsec] xmlsec-nss patches from Sun( 2003-07-22 )

Aleksey Sanin aleksey@aleksey.com
Wed, 23 Jul 2003 08:51:52 -0700 

> It is so hard to make you all understand myself because of my poor 
> English. :-)
> My poor English skill! Great, you understand me now. :-)

Well, your English is good enough for me :) I think I understood what 
you want
from the beginning.

> By now, you should have asked several times, "why Pk11SlotList". Some 
> reason are:
> 1. NSS provides a set of functions to manage PK11SlotList;
> 2. User can dynamicly adjust PK11SlotList directly  instead of call 
> xmlSec functions, and which  is safe also because xmlSec only get and 
> reference the slot handler;
> 3. xmlSec care less just to find the suitable slot from the list.

The question I have is: suppose you have to slots A and B that both support
RSA encryption and DSA signatures. And your application wants to use
slot A for RSA encryption and slot B for DSA signatures. I understand
how you can do it with my proposal when application explicitly maps
algorithm to the slot. I am not sure I understand how you can do it with
"Pk11SlotList" inteface you suggest: both slots needs to be in the
list, the GetSlot functions loops thru the list and always selects the 
first one.
I see no difference from original GetBestSlot().


> It is not the best one, it is the suitable one. So I like the name 
> "xmlSecNssSlotInit". :-P

Sure, I don't care :)

>>    int xmlSecNssBestSlotAdopt(CK_MECHANISM_TYPE alg, PK11SlotInfo* 
>> slot) :
>>           Sets "slot" to be used for "alg" (global inside xmlsec).
>
>
> No. Which result in complex lines because there are so many crypto 
> mechanism,
> and which also result in a table that must be maintained internally by 
> xmlSec,
> it is in-flexible. This is another reason why use PK11SlotList.

See example above.

> I don't think so( fallback to PK11_getBestSlot(): I understand this is 
> "if no slot in the slot
> list meet the require( mechanism ), call this function", right?). If a 
> PK11Slot list specified,
> it means only those slot in the list are available, while 
> "GetBestSlot" will search all active
> slots; if not slot list initialized, it means user do not care which 
> slot selected, we can call
> "GetBestSlot".

Well, it's a difference in our proposals :) In my case, I want to let 
user only map algorithms
he cares about and let GetBestSlot() do the rest :) But you are right, 
in case of "list" type API
you suggest it's probably not necessary.

Aleksey