On 9/18/2018 4:01 PM, Adam Petcher wrote:
On 9/11/2018 11:07 AM, Adam Petcher wrote:


I still haven't been convinced that this lack of interoperability is a significant problem. In the proposed design, the new KeyFactory will not support ECPrivateKeySpec, and the implementation will produce private keys that inherit from PrivateKey, but not ECPrivateKey. Specifically, what problems in JCE are introduced by this design? How are these interoperability issues different from the ones you encounter with a PKCS11 provider that doesn't export private keys? If the developer wants more interoperability, why not use SunEC? If we decide that we want the new implementation to have better interoperability in the future, does something prevent us from enhancing it? These questions are for anyone who can help me understand the objections that have been raised related to interoperability.

A week has passed since I asked these questions to the mailing list, and I haven't gotten any answers. Without additional information, I'm not motivated to change the interoperability goals in the draft JEP.


Adam -

Basically, the JCE is all about plugging in not about the implementations.  If this is truly an EC library, I should be able to get the benefit of your library with very minimal changes - e.g. specifying your provider in the various getInstance() calls.   As it stands, I doubt this will end up in anyone's "must use" category because it will break existing code.

You want folks to convince you that interoperability is a significant problem when what we (or at least I) want is for you to convince us that these interop breaks are warranted due to how wonderful your approach is and that they're absolutely necessary due the secret sauce of wonderfulness.  You're not there yet.

As for PKCS11 - there are exportable and non-exportable private keys (e.g. PKCS11 with an accelerator vs an HSM for example).  The exportable ones show up as ECPrivateKeys, the non-exportable ones as PrivateKeys (and I think with an underlying type of PKCS11Key...).  So it follows the model for exportable keys.  And every PKCS11 provider I've used at least has a way of IMPORTING ECPrivateKeys.

Later, Mike


Reply via email to