On Tue, May 24, 2011 at 7:19 PM, Gordan Bobic <gordan@xxxxxxxxxx> wrote: > On 05/24/2011 07:05 PM, Peter Robinson wrote: >> On Tue, May 24, 2011 at 6:11 PM, Andrew Haley<aph@xxxxxxxxxx> wrote: >>> On 05/23/2011 04:12 PM, Gordan Bobic wrote: >>>> omalleys@xxxxxxx wrote: >>>> >>>>> My question, is how hard is this to implement the hardware support >>>>> non-openssl programs. >>>> >>>> Not particularly hard if you're writing your own crypto implementation >>>> anyway, but there's a lot to be said for just linking against OpenSSL. >>>> It's probably safer to link against the library that has a lot of eyes >>>> on it than it is to implement your own. >>>> >>>>> OpenAFS could use this as it can use a lot of DES >>>>> encryption, but it uses its own DES implementation. It also happens to >>>>> be the only one I can think of off the top of my head that uses its own >>>>> implementation. It would be nice to have. >>> >>> gpg seems to use its own AES implementation that's slower than SSL's. >>> It would certainly be nice to fix that to use acceleration. >> >> It would be better to use nss as it has the option of all the various >> fips certifications which would be useful for gpg. > > Just out of interest, what is the "fips" option to configure on OpenSSL for? > >> Alternatively I would think it would be better to use the HW crytpo >> user interface directly so you get HW acceleration if it avail or >> fallback if its not. > > Sure, just as OpenSSL does. The point here was that if it can be built > to link against OpenSSL, it doesn't have to modify it's bundled crypto > implementation for options with all possible crypto engines. > >> I'd personally prefer not to use openssl for gpg >> as its not the most secure beast. > > The issue here seems to be philosophical. The simple fact is that we > trust so much to OpenSSL we might as well save ourselves some memory and > effort of reimplementing the wheel and maintaining that reimplemented > wheel. Considering we already trust ssh and https in almost all > instances to OpenSSL, I think the issue is pretty academic. > > One other thing to consider is that the reason OpenSSL gets > cryptanalyzed so much is specifically because it is so popular. It also > has a lot of eyes on it making sure it is tight and stays that way. IMO, > using something else is bordering on security through obscurity - and > that shouldn't be encouraged. NSS gets a lot of review as well as its used in firefox and a lot of other enterprise products (from RH and others). FIPS is one of the certifications and reviews. There's some detail here [1] on the difference between the FIPS differences between NSS and openssl. Peter [1] http://fedoraproject.org/wiki/FedoraCryptoConsolidation#FIPS_140 _______________________________________________ arm mailing list arm@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/arm
