On 9/18/2018 4:01 PM, Adam Petcher wrote:
On 9/11/2018 11:07 AM, Adam Petcher wrote:
I still haven't been convinced that this lack of interoperability is
a significant problem. In the proposed design, the new KeyFactory
will not support ECPrivateKeySpec, and the implementation will
produce private keys that inherit from PrivateKey, but not
ECPrivateKey. Specifically, what problems in JCE are introduced by
this design? How are these interoperability issues different from the
ones you encounter with a PKCS11 provider that doesn't export private
keys? If the developer wants more interoperability, why not use
SunEC? If we decide that we want the new implementation to have
better interoperability in the future, does something prevent us from
enhancing it? These questions are for anyone who can help me
understand the objections that have been raised related to
interoperability.
A week has passed since I asked these questions to the mailing list,
and I haven't gotten any answers. Without additional information, I'm
not motivated to change the interoperability goals in the draft JEP.
Adam -
Basically, the JCE is all about plugging in not about the
implementations. If this is truly an EC library, I should be able to
get the benefit of your library with very minimal changes - e.g.
specifying your provider in the various getInstance() calls. As it
stands, I doubt this will end up in anyone's "must use" category because
it will break existing code.
You want folks to convince you that interoperability is a significant
problem when what we (or at least I) want is for you to convince us that
these interop breaks are warranted due to how wonderful your approach is
and that they're absolutely necessary due the secret sauce of
wonderfulness. You're not there yet.
As for PKCS11 - there are exportable and non-exportable private keys
(e.g. PKCS11 with an accelerator vs an HSM for example). The exportable
ones show up as ECPrivateKeys, the non-exportable ones as PrivateKeys
(and I think with an underlying type of PKCS11Key...). So it follows
the model for exportable keys. And every PKCS11 provider I've used at
least has a way of IMPORTING ECPrivateKeys.
Later, Mike
