[xmlsec] loading crypto engines as plugins, build changes, etc.

Edward Shallow ed.shallow at rogers.com
Sat Sep 20 11:33:08 PDT 2003

It seems we have touched a nerve !!!

Love your passion, but Wouter's excellent work in writing to the windows
CAPI interface (which is simply an interface) 
puts all of us in a position to replace the underlying Crypto Service
Provider (i.e. CSP) with for example a smartcard vendor's CSP accessing a
secure hardware token  or smartcard, etc ...

Similarly with the NSS implementation, we are now able substitute PKCS11
providers and again leverage alternate crypto engines and 
Key storage facilities.

Please tell me how that would be done in an OpenSSL environment with its
terribly "thin" key storage management ?


-----Original Message-----
From: xmlsec-admin at aleksey.com [mailto:xmlsec-admin at aleksey.com] On Behalf
Of Igor Zlatkovic
Sent: September 20, 2003 11:32 AM
To: Aleksey Sanin; xmlsec at aleksey.com

Hi there,

> Probably in the future we should make mscrypto the default crypto 
> engine on Windows (Igor?).

No, but you heard that allready. :-)

There is a difference between security and obscurity. All algorithms are
known, so are most implementations. If you won't show me your code so I see
what it does, then I must assume that you have something to hide and will
compromise my secrets; and I will keep an watchful eye on you, even if I
never meet you again.

Cryptography exists for one, and only one, reason: because people don't
trust each other. If I don't trust you enough to let you read my mail, but I
blindly trust an obscure encryption system you have made, then I am a simple

The point of it all: Cryptography software is either open source, or
non-existent, as far I am concerned. Everything else can be proprietary, but
crypto cannot. That simply defeats the very reason of its existence. Set
mscrypto as the default in xmlsec and what advantage over msxml would

> Also it would be nice to include all the supported xmlsec-<crypto> 
> libraries in Windows binaries (again, Igor? :) )

For the love of completeness, yes. For myself, I would like to leave out
everything that uses a proprietary system beneath. For the reasons described
above, I would not encourage people to use it by distributing the binary.
However, I should have spoken that earlier, before the bloody thing was
made. Leaving it out now is a spit in the face to everyone who contributed
to it. I am not happy about it, but the binary will have all supported bits.


xmlsec mailing list
xmlsec at aleksey.com

More information about the xmlsec mailing list