crypto consolidation status?
Gregory Maxwell
gmaxwell at gmail.com
Sun Sep 27 14:17:10 UTC 2009
On Sun, Sep 27, 2009 at 1:44 AM, Ken Dreyer <ktdreyer at ktdreyer.com> wrote:
> I read the wiki page[1] on Fedora's effort to consolidate all the
> crypto libraries. Quite an ambitious task! FWN [2] reported on the
> rather large discussion back in '07, but I didn't see any resolution.
> Is this still a goal for Fedora? The main wiki page hasn't been edited
> in almost a year (although the scorecard is still being maintained).
>
> The reason I bring all of this up is that Server Name Indication has
> recently been implemented into httpd's mod_ssl, but SNI is not present
> in mod_nss[3]. If we abandon mod_ssl for mod_nss, we would lose this
> functionality.
[snip]
Is this even a fair and reasonable goal unless the NSS upstream is
really interested in becoming a superset of the functionality offered
by the other crypto libraries? (I don't know for surethat NSS' goal
is not to— but I think thats unlikely. It's hard to even start a
comparison because NSS doesn't appear to have developer documentation
covering low level cryptographic functions)
Is it reasonable when other package upstreams may not find the
licensing of NSS to be acceptable (i.e. an upstream which is 100% BSD
for it and all its dependencies), or would prefer not to use NSS for
stylistic reasons— Would fedora carry patches for these applications
in perpetuity?
It's not even clear to me what exactly some of these goals mean i.e.
"Get a cert using Firefox, use it in SSH" when ssh doesn't (normally)
use X.509 certificates.
More information about the fedora-devel-list
mailing list