In message <20031119063513.GA10779@rek.tjls.com>
Thor Lancelot Simon writes:

>No, calling engines from one another isn't very clean or easy either
>AFAICT.

Which reminds me: the opencrypto model is a pretty simple lowest
common denominator. It can accelerate SSL/TLS operations, but only if
the caller (OpenSSL) breaks the SSL/TLS record ops down into simpler a
sequence of crypto primitives.

I know of at least two crypto cards where the hardware would be much,
much much happier to get explicit SSLv3/TLS requests, in a style like:n
1.  ``create a context for SSLv3  record operations with
     this [single] transform type '' (e.g., 1des/md5 and 3des/md5
     would be separate context)

2.  ``Here's an SSLv3/TLS record and a context: now encrypt/decrypt it''

I have no clue whether the SSL engine is amenable to first trying to
bind high-level (SSL/TLS) operations, before it gives up, binds
low-level crypto transforms, and synthesizes record ops using the
low-level transforms.

But if it can, IMNSO it would be a Good Thing to add a _small_ set of
SSL/TLS record-plus-FIPS-approved-algorithm tranforms to opencrypto.