From 743ec40231db809d22487ee60f64d00b7b845807 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Tue, 9 May 2017 22:59:04 -0400
Subject: Update README.md.

---
 README.md | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index 0671398..d846fe2 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,11 @@ Along with the PKCS #11 library itself, the package includes a
 companion Python interface ("cryptech.py11"), which uses the ctypes
 module from the Python standard library to talk to the PKCS #11
 implementation.  The Python implementation is intended primarily to
-simplify testing the C code, but can be used for other purposes.
+simplify testing the C code, but can be used for other purposes; while
+it seems unlikely that anything could ever make PKCS #11 "fun", the
+`cryptech.py11` library attempts to make it a bit less awful by
+providing both direct acess to the raw PKCS #11 API and a somewhat
+more "pythonic" API layered on top of the raw API.
 
 
 ## Novel design features ##
@@ -40,17 +44,15 @@ The underlying cryptographic support comes from the [Cryptech][]
 
 Testing to date has been done using the `bin/pkcs11/` tools from the
 BIND9 distribution, the `hsmcheck` and `ods-hsmutil` tools from the
-OpenDNSSEC distribution, the `hsmbully` diagnostic tool, and a
-preliminary set of unit tests using Python's unittest library.  Beyond
-the test results (such as they are) reported by these tools, the
-primary test of whether the PKCS #11 code is working as expected has
-been validation of the signed DNSSEC data generated by `hsmcheck -s`,
-via a script using [DNSPython][].
+OpenDNSSEC distribution, the `hsmbully` diagnostic tool, the Google
+`pkcs11test` test suite, and a somewhat ad hoc set of unit tests using
+Python's unittest library along with our own `cryptech.py11` library.
 
-In a nutshell, the current state is that the code runs without
-throwing any obvious errors, generates what DNSPython thinks are good
-signatures, and passes some fairly basic tests.  More testing would be
-a really good idea.
+The library is also known to work as an `OpenSSL` engine when used
+with the `engine-pkcs11` package spun out of the OpenSC project.  This
+has not been tested extensively, but key generation, signature, and
+verification all work (with RSA keys -- the engine appears not to
+understand ECDSA keys, we have not investigated into details here).
 
 
 ## Copyright status ##
@@ -63,5 +65,4 @@ Code written for the [Cryptech][] project is under the usual Cryptech
 BSD-style license.
 
 [PKCS11]:    http://www.cryptsoft.com/pkcs11doc/STANDARD/       "PKCS #11"
-[DNSPython]: http://www.dnspython.org/                          "DNSPython"
 [Cryptech]:  https://cryptech.is/                               "Cryptech"
-- 
cgit v1.2.3