[cryptography] IETF Working Group Charter on Common Interface to Cryptographic Modules (CICM)

Nico Williams nico at cryptonector.com
Mon Jun 20 16:34:03 EDT 2011


On Mon, Jun 20, 2011 at 3:01 PM, Novikov, Lev <lnovikov at mitre.org> wrote:
> On 2011-06-19 12:38, Peter Gutmann wrote:
>> Just one word really: Why?
>
> There is an existing class of devices and environments (e.g., military
> and diplomatic communications) which have particular requirements that
> are hard to retrofit into existing crypto APIs (i.e. the logical models
> are substantially different).
>
> For example, many of these devices operate in a manner such that the
> results of cryptographic operations are not returned to program that
> initiate the operation--as they are in existing crypto APIs. Rather,
> the request starts in one security domain, is executed by the crypto
> (which is on the border between two domains), and the result emanates in
> another domain.

The GSS-API has been growing extensions to deal with these situations
by exposing more information to the application.  There's also some
extensions by which to specify policies/profiles to apply.

Creating a whole *new* API to layer above the GSS-API would be OK IFF
the new API were effectively a simplified profile of the GSS-API.

Nico
--



More information about the cryptography mailing list