Dan M wrote:
> Re-read my initial post, and I asked the wrong question. It was written in
> haste, my apologies. Let me clarify...
>
> We're actually not looking to replace the SSL engine in Firefox, but just
> use a different crypto provider (I was thinking OpenSSL crypto "engine" when
> I wrote the message). We're developing a hardware device similar to a
> crypto accelerator and, when it is installed on the local machine, we would
> like all SSL-related crypto routines in Firefox to be redirected to our
> device.
By "all SSL-related crypto routines", do you mean to include all the
signature verification functions, such as those done to verify cert chains
received from remote servers?
> My hardware developers tell me this could be quite cumbersome if we're not
> implementing the full PKCS#11 interface. I'm just looking to find out
> whether it can be done without implementing all the authentication features
> of PKCS#11.
What are their concerns exactly?
LOTS of people, companies and projects have implemented enough of PCKS#11
for their purposes, to do SSL with their crypto providers. That includes
everything from high end "network attached crypto accelerators" to low end
USB crypto fobs ("dongles").
NSS provides an open source "framework" for implementing a PKCS#11 module.
NSS's own "soft token" PKCS#11 module is pretty complete (enough for NSS's
own purposes) and is open source, so it provides major implementation clues
for others doing their own implementations.
Finally, I wonder what you mean by "all the authentication features".
Clearly a PKCS#11 module that will do private key operations without
authentication of any sort is an oracle, just waiting to be used by
"bad guys". (Who needs to have your private key when they can just get
your module to use if for them whenever they like?)
In any case, I do think PKCS#11 is your best bet. It's well supported
and LOTS of others have trod that path before you.
--
Nelson B
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
