Fedora crypto consolidation
Nicolas.Williams at sun.com
Tue Mar 25 17:45:45 EDT 2008
On Tue, Mar 25, 2008 at 03:48:40PM -0400, Sam Hartman wrote:
> I think we would definitely be interested in working with Redhat to
> try and find designs that avoided API breaks if possible.
> I assume the big issue is keyblocks?
Note that we've already has made changes to our MIT krb5-derived Solaris
Kerberos stack to use PKCS#11 for all crypto operations.
We resolved the krb5_keyblock size, layout and key derivation cache
issues in a way that we had the luxury to do because we'd not then yet
exposed the krb5 API. However, I believe these issues could be resolved
in MIT krb5 without breaking the API.
I don't know for sure, but we might prefer to donate that code (i.e.,
under the MIT license, rather than the CDDL) so as to preserve our
More information about the krbdev