I'll second that. OpenSSL works excellently in isolation, but when you come to use it in a context in which there are *already* keys and certificate stores (eg. CAPI) it would be excellent to be able to access those directly, so that our software has the same familiar quirks as Microsoft's, and the relevant data are already there and users don't have to do anything extra to use our software as opposed to the existing web browsers. Would your implementations cover this sort of area? If there's anything I can do in terms of testing (or even possibly coding), let me know.
At 14:37 20/06/02 -0500, you wrote: >Date sent: Thu, 20 Jun 2002 15:02:36 -0400 (EDT) >From: Geoff Thorpe <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: [openssl.org #86] Bug in RSA_check_key >Send reply to: [EMAIL PROTECTED] > >Just my two cents on the engine code in general. Months ago I >discussed with one of the OpenSSL team members how to use the engine >code in OpenSSL to enable Smart Card/USB RSA key processing for TLS >and SSH client authentication for those certificates/private keys >contained within the Windows based Netscape and Microsoft browser >stores/databases, and private keys that could not be removed from the >Smart Cards/USB tokens. > >I implemented the ideas presented to me, and they work great for TLS, >SSH-1 and SSH-2 public/private key authentication. Many times since >then I have been asked by our clients that knew we used OpenSSL >internally for all of our crypto support how we was able to get >OpenSSL to utilize the private keys located on the Smart cards, and >how we utilized the CA certificates contained within the browsers >with OpenSSL. > >There has been some discussion recently about the direction of the >engine code, and of a generic PKCS11 interface. I would think that >a large number of Windows based users/developers would benefit by a >real simple high level API that provides these services without >having to understand anything about the engine details or by using >PKCS-11 at all. Let Netscape worry about the PKCS-11 details, and >Microsoft OS worry about the CAPI stuff. > >It would make an already superior crytpo toolkit, even better. > >Ken ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
