[Cryptography-dev] HSM and other algorithms
Paul Kehrer
paul.l.kehrer at gmail.com
Fri May 2 16:16:33 CEST 2014
Hi Alex, answers inline.
On May 2, 2014 at 7:31:38 AM, Alex (ralienpp at gmail.com) wrote:
Hi,
Having reviewed the documentation of `cryptography` and looked through
the available examples, I still have some unanswered questions.
1. how to use an HSM for private key storage? Are there any high-level
features for this purpose, or is one expected to be familiar with how
a specific backend deals with it?
At the moment there is no support for HSMs. We have long-term plans for adding support for PKCS11 (and KMIP), and we may also expose the OpenSSL engine system more directly. Some of the work we’re undertaking for the next major release (there is one going out today/tomorrow) is focused on reworking the structure of our asymmetric key objects to be better suited for HSMs.
2. are there plans to introduce high-level primitives for XAdES or
PAdES signatures? Or is it outside the scope of the library (and we're
supposed to do it ourselves via hazmat)?
Our guiding principle for what is in scope for this library is that we want to be known as the cryptographic standard library for Python. XAdES and PAdES fit within that remit, so I’d support their inclusion (although I am not the only vote obviously!). They are quite different from what we’ve implemented so far in that we won’t get the construction for “free” from the underlying library, and building a robust unit test suite may be challenging.
If and when we start implementing constructions like this it will be interesting to see if we want them to still live in hazmat or if they’re high enough level that we’d feel comfortable exposing them as recipes (like Fernet).
3. what's the preferred method of requesting new things? Say, I would
be interested in a sample that covers "how to produce PKCS7
signatures?", do I just open an issue on Github?
Yes, opening an issue on GitHub is perfect. That’s how we track most of our work. We also hang out in IRC at #cryptography-dev so more informal discussions take place there all the time.
I have previously used other Python crypto libraries, and
`cryptography` looks clean and organized; it is certainly a step
forward from having to fish for answers in OpenSSL code to figure out
how a wrapper calls it.
It is great that you have examples embedded in the documentation
itself, that will be greatly appreciated by people who are looking for
starting points.
We’re always interested in perspectives from consumers on how we can improve the docs, so if you’ve got ideas file an issue or make a PR and we’ll be happy to review/merge it!
Alex
p.s. eagerly waiting to find out which directions will be chosen with
respect to parsing ASN1 structures :-)
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev at python.org
https://mail.python.org/mailman/listinfo/cryptography-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20140502/0aa424b3/attachment.html>
More information about the Cryptography-dev
mailing list