On 12/04/14 21:33, Florian Weimer wrote:
* Julien Pierre:
Strange that "PKCS#11 support" is listed as a "con" for NSS .
I found the PKCS#11 approach rather difficult to deal with if you're
adding cryptography to some library whose client code has no idea that
there is cryptography involved (and that NSPR and NSS need
initialization). The global state is horrible in this scenario, and
with an increased push towards use of cryptography, it comes up more
and more often.
Moving to OpenSSL won't remove that issue though:
http://wiki.openssl.org/index.php/Library_Initialization
(OpenSSL, unlike PKCS#11, doesn't require initialization
on fork, though there are related problems:
http://wiki.openssl.org/index.php/Random_fork-safety)
And of course if you use OpenSSL's PKCS#11 engine, then
you have the problem that you reimpose PKCS#11 requirements
on a layer than didn't know it was using PKCS#11.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
