[xmlsec] loading crypto engines as plugins, build changes, etc.

Edward Shallow ed.shallow@rogers.com
Sat, 20 Sep 2003 14:33:08 -0400


It seems we have touched a nerve !!!

Love your passion, but Wouter's excellent work in writing to the windows
CAPI interface (which is simply an interface)=20
puts all of us in a position to replace the underlying Crypto Service
Provider (i.e. CSP) with for example a smartcard vendor's CSP accessing =
a
secure hardware token  or smartcard, etc ...

Similarly with the NSS implementation, we are now able substitute PKCS11
providers and again leverage alternate crypto engines and=20
Key storage facilities.

Please tell me how that would be done in an OpenSSL environment with its
terribly "thin" key storage management ?

Ed    =20


-----Original Message-----
From: xmlsec-admin@aleksey.com [mailto:xmlsec-admin@aleksey.com] On =
Behalf
Of Igor Zlatkovic
Sent: September 20, 2003 11:32 AM
To: Aleksey Sanin; xmlsec@aleksey.com

Hi there,

> Probably in the future we should make mscrypto the default crypto=20
> engine on Windows (Igor?).

No, but you heard that allready. :-)

There is a difference between security and obscurity. All algorithms are
known, so are most implementations. If you won't show me your code so I =
see
what it does, then I must assume that you have something to hide and =
will
compromise my secrets; and I will keep an watchful eye on you, even if I
never meet you again.

Cryptography exists for one, and only one, reason: because people don't
trust each other. If I don't trust you enough to let you read my mail, =
but I
blindly trust an obscure encryption system you have made, then I am a =
simple
fool.

The point of it all: Cryptography software is either open source, or
non-existent, as far I am concerned. Everything else can be proprietary, =
but
crypto cannot. That simply defeats the very reason of its existence. Set
mscrypto as the default in xmlsec and what advantage over msxml would
remain?

> Also it would be nice to include all the supported xmlsec-<crypto>=20
> libraries in Windows binaries (again, Igor? :) )

For the love of completeness, yes. For myself, I would like to leave out
everything that uses a proprietary system beneath. For the reasons =
described
above, I would not encourage people to use it by distributing the =
binary.
However, I should have spoken that earlier, before the bloody thing was
made. Leaving it out now is a spit in the face to everyone who =
contributed
to it. I am not happy about it, but the binary will have all supported =
bits.

Ciao,
Igor

_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec