On 2007.11.19 at 20:46:36 +1000, Peter Waltenberg wrote: > There are some things that are "quite hard" problems doing it the other way > round. FIPS certification with the OpenSSL engine plugin active is probably > the worst. > With PKCS#11 on top of OpenSSL you have an "industry standard" API, which > most hardware cards support. So you could swap a FIPS certified hardware > card with a FIPS certified PKCS#11 on top of OpenSSL. Using OpenSSL with > the engine code underneath doesn't make much sense in this context.
Since 0.9.9 engine modules can add new algorithms, not only new implementations (i.e. hardware supported) of existing algorithms. My problem is actually to use existing implementation of GOST algorithms (ccgost engine) in the Mozilla-based products. It seems that libnss already includes some support for these algorithms if their implementation is provided by PKCS#11 module. Of course, it has nothing to do with FIPS. In this case, if we would have to certify our solution it would be quite different certification body. Actually, in this case we don't need certification of this module at all (as well as ccgost engine is not certified by Russian authorities). We need open-source implementation which can work in the Mozilla and can be used for testing and debugging. Really, I suppose not all users need FIPS-certified version of cryptographic module. If server is FIPS-certified, client browser need to be interoperable, but non neccessary certified. Suppose that client is under another jurisdiction. It has its own certification bodies. Or even under same jurisdiction it is not neccessary that private person's browser has to be certified. > Note that IBM does have an open source PKCS#11 which sits on top of > OpenSSL, search for opencryptoki. That doesn't solve the FIPS problem > though due to some details of it's design. It is interesting. I'd look into it. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
