Dan M wrote: > Re-read my initial post, and I asked the wrong question. It was written in > haste, my apologies. Let me clarify... > > We're actually not looking to replace the SSL engine in Firefox, but just > use a different crypto provider (I was thinking OpenSSL crypto "engine" when > I wrote the message). We're developing a hardware device similar to a > crypto accelerator and, when it is installed on the local machine, we would > like all SSL-related crypto routines in Firefox to be redirected to our > device.
By "all SSL-related crypto routines", do you mean to include all the signature verification functions, such as those done to verify cert chains received from remote servers? > My hardware developers tell me this could be quite cumbersome if we're not > implementing the full PKCS#11 interface. I'm just looking to find out > whether it can be done without implementing all the authentication features > of PKCS#11. What are their concerns exactly? LOTS of people, companies and projects have implemented enough of PCKS#11 for their purposes, to do SSL with their crypto providers. That includes everything from high end "network attached crypto accelerators" to low end USB crypto fobs ("dongles"). NSS provides an open source "framework" for implementing a PKCS#11 module. NSS's own "soft token" PKCS#11 module is pretty complete (enough for NSS's own purposes) and is open source, so it provides major implementation clues for others doing their own implementations. Finally, I wonder what you mean by "all the authentication features". Clearly a PKCS#11 module that will do private key operations without authentication of any sort is an oracle, just waiting to be used by "bad guys". (Who needs to have your private key when they can just get your module to use if for them whenever they like?) In any case, I do think PKCS#11 is your best bet. It's well supported and LOTS of others have trod that path before you. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto