On 20 February 2016 at 21:40, Sander Temme <san...@temme.net> wrote:

> However, I’m intrigued by the notion of a PKCS#11 Engine in OpenSSL: it’s
> a standard (an OASIS standard now); it’s fairly fully featured; everyone in
> the industry supports it including Thales; and you can build a program that
> calls it without needing a vendor SDK, because there are standard headers
> and a well defined way to get to the entry points.  If we can come up with
> a way to pick a PKCS#11 slot and log into it that makes sense (e.g. not by
> poking PINs into a system wide config file etc.) then I think we’d have a
> winner.
>

Let's not forget that CHIL provides one very unique feature - forked
process keeps the authentication state of its parent and can access HSM
keys if its parent was authenticated. PKCS#11 specification prohibits such
behavior (PKCS#11 v2.20 chapter 6.6.1) and because of that PKCS#11 based
engine couldn't fully replace CHIL engine.

Regards, Jaroslav
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to