OpenSC and OpenSSL

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

OpenSC and OpenSSL

Martin Paljak-4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

"OpenSSL must die, for it will never get any better."

http://queue.acm.org/detail.cfm?id=2602816

While it is just the 2014 FOSDEM speak made more tangible, it is worth
reading.

The fact that OpenSC is interwoven with OpenSSL has been a long known
"trouble point". While it might be good for OpenSSL it certainly
doesn't make it better for OpenSC that Google is thinking of moving
from NSS to OpenSSL:

https://docs.google.com/document/d/1ML11ZyyMpnAr6clIAwWrXD53pQgNR-DppMYwt9XvE6s/preview?pli=1&sle=true

PHK suggests a "godsend" that doesn't exist yet, but something we
looked into a few years ago:

"We need a well-designed API, as simple as possible to make it hard
for people to use it incorrectly. And we need multiple independent
quality implementations of that API, so that if one turns out to be
crap, people can switch to a better one in a matter of hours."

While OpenSC doesn't depend on OpenSSL in the sense of being
vulnerable because of *SSL/TLS* issues in it (and partially thanks to
the policy that OpenSC *should not do crypto itself unless it has to*
but "delegate the problem to the card") we *really-really* need to
think how to handle this. So that adjustments could easily be made for
other platforms and libraries. Especially for any new code.

We probably can't get rid of OpenSSL overnight, nor must we do it, but
being able to do that easily and adjusting the internals of OpenSC so
that it would be *possible* in the first place, is something that
would contribute to the overall design (architecture) of OpenSC a
great deal. Lack of meaningful constraints hurts OpenSC rather than
helps. Borders, contracts, interfaces - all that seems like a useless
burden but in the end it is good to have some.

Other than that, I hope that not too many people think the same way of
OpenSC as they think of OpenSSL :)

Best,

- --
Martin
+372 515 6495
-----BEGIN PGP SIGNATURE-----
Comment: Pretty good, eh?

iQEcBAEBCAAGBQJTTEgtAAoJEKzwIt3aPjKjsmQH/3Oqcd1BLRT84WJYSE3oOby6
N2UHnYYms3VkwNGQDtPtPal3QnA2L/1fenhrS5QGCFAkhj2/R5N0QZsF5Mq2HCBr
79gwa/2ZXIEJLfPIHvcUmXpZIYJVXwFixFTvKbS6BxcGe/EXvtbiaz7Y3qjiLl7Z
NxgssrokWkWkRVRaUREXd6EUcZkHMsol/Hzf90Z4h272QEzsqbV85pGtZsEmUVl3
bMGHV6mvWVnf4uIss5uITBwhrYcWk3dR9gkRny7rKPSRKxcNvYBixvWs0GkA0vfy
C1mGEWqm+IISEccJ1JFh8kBrOnib6XhHej8pfp1EV3tjx/q3aJaNH5y5wyDPOBs=
=xHGC
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel