X-RT-Interface: Email
In-Reply-To: <rt-4.4.1-36279-1512273873-200.46749-4-0@isc.org>
Date: Sun, 3 Dec 2017 07:13:12 +0000
Delivered-To: bind9-public@bugs.isc.org
User-Agent: Mutt/1.5.23 (2014-03-12)
CC: 
X-RT-Original-Encoding: utf-8
Content-Disposition: inline
MIME-Version: 1.0
Subject: Re: [ISC-Bugs #46749] Update PKCS #11 OpenSSL engine usage documentation in ARM
content-type: text/plain; charset="utf-8"
From: "Evan Hunt" <each@isc.org>
To: "Mukund Sivaraman via RT" <bind9-public@isc.org>
X-Original-To: bind9-public@bugs.isc.org
Return-Path: <each@isc.org>
References: <RT-Ticket-46749@isc.org> <20171202142323.GA20227@jurassic.lan.banu.com> <rt-4.4.1-34262-1512224618-1050.46749-3-0@isc.org> <20171203015127.GA13120@isc.org> <rt-4.4.1-36279-1512265912-884.46749-4-0@isc.org> <20171203040422.GA28025@jurassic.lan.banu.com> <rt-4.4.1-36279-1512273873-200.46749-4-0@isc.org>
Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id 98B04D78B0A for <bind9-public@bugs.isc.org>; Sun,  3 Dec 2017 07:13:12 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 5DC15216C1C; Sun,  3 Dec 2017 07:13:12 +0000 (UTC)
X-RT-Incoming-Encryption: Not encrypted
From each@isc.org  Sun Dec  3 07:13:12 2017
Message-ID: <20171203071312.GA16117@isc.org>
RT-Message-ID: <rt-4.4.1-34262-1512285194-1202.46749-0-0@isc.org>
Content-Length: 1048

> > I agree the doc should be updated though. Native PKCS#11 is much more
> > useful now and ought to be emphasized.
> 
> How is it more useful?

I meant it's more useful than it was when we first shipped it,
because there are more HSMs that support it now.

> I want us to minimize the amount of crypto code we have in BIND tree. I
> want us to drop the native PKCS #11 code and stick to the OpenSSL engine
> code. With that we'll use a single crypto implementation in the tree.

Okay, I misunderstood you then, and I disagree. Unless things have
changed substantially since I last looked, OpenSSL doesn't support
PKCS#11; the pkcs11 engine is implemented by the patches we provide,
which were never accepted by the upstream maintainers, and they don't
really work all that well; debugging is huge pain.

I think if we're going to support PKCS#11, native is the better way to
go. If I recall correctly, the only reason we kept OpenSSL PKCS#11 was
that you couldn't run native PKCS#11 with the AEP Keyper. (And that may
not even be true anymore.)