[Kea-users] Botan vs. OpenSSL dependency for Kea
Francis Dupont
fdupont at isc.org
Wed Mar 9 11:53:40 UTC 2016
Shane Kerr writes:
> Your blog article on this is informative:
>
> https://www.isc.org/blogs/the-crypto-library-disaster/
=> thanks.
> Personally I think the insistence on FIPS-2 certification is a bit
> misplaced. Certification can actually make organizations less agile in
> responding to security problems, thereby ultimately less secure rather
> than more.
=> one can argue the certification is the ultimate external review but
in fact in some environments (including one I worked in before joining ISC)
you have simply no choice...
> Still, some administrators have that requirement,
=> yes they have so their system providers have and they asked us
explicitely to support an alternative to Botan.
> so crypto agility is ultimately a good thing. :)
=> I think you mean backend agility (crypto agility is for instance
to allow MD5. SHA1 and SHA2 vs MD5 only). Of course it is a good thing!
And note the OpenSSL alternative was proposed before OpenSSL problems
so before it becomes obvious that crypto agility is a must.
Thanks
Francis Dupont <fdupont at isc.org>
PS: Kea (and DHCP) uses only hash and hmac, things which are implemented
in PKCS#11 providers in software, i.e., not using the crypto hardware
of HSMs.
More information about the Kea-users
mailing list