[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Should we settle on one SSL implementation?



On Monday 22 October 2007 19:03:46 Thomas M Steenholdt wrote:
> Bernardo Innocenti wrote:
> > It would seem a worthwhile goal to unify SSL/TLS
> > implementations like we did for spell checkers.
> > Or, if it turns out to be too hard, at least it would
> > be nice to their pki files.
>
> I really don't think its our job to decide which SSL implementation is
> used by the various different projects.

You are right, we don't want to decide anyone's preference. What we need to 
accomplish is adding another choice for projects. This way it can be compiled 
against either gnutls/openssl/home brew crypto, or NSS which is FIPS-140-2 
certified and has all the right interfaces for central configuration control.

> Those projects have already chosen which implementation they prefer - It's
> not for us to decide.

And the reason why they chose what they did varies with each project. It could 
be that they never considered NSS because its not talked about very much or 
they don't realize its FIPS-140-2 certified, or maybe they just didn't care. 
But there are enough users out there that really want to see certified crypto 
or they can't really use it in their setting.

> Also, Fedora aims to be as close to upstream as possible, so unless we
> can convince the project to change their preferred SSL implementation,
> I'm all for simply leaving it alone.

That is what we want to do. We want to help upstream projects add choice. We 
want to find out what the rough spots are for NSS and improve its 
documentation and API so that we can use it everywhere.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]