LibTomNet [v0.01]

Eric Rescorla ekr at
Mon Jul 7 19:28:16 EDT 2003

tom st denis <tomstdenis at> writes:
> Two weeks ago I sat down to learn how to code my own SSL lib [key on
> being small].  Suffice it to say after reading the 67 page RFC for SSL
> 3.0 I have no clue whatsoever how to implement SSL.  
Funny, none of the 30 or so other people who have done SSL
implementations had any problem.
> The RFC looks like it was written by a member of the ACLU and done at
> an hourly rate of some sort.  It contains no test vectors, no sample
> source code and generally is not enough information to code a compliant
> SSL protocol.
I'd be interested to know in what way you believe the TLS RFC is
not sufficient to write a complaint implementation. Except for
some edge cases, it's fully specified as far as I know. Anyway,
I'm the document editor so it's my job to fix it.

This isn't an invitation to complain more about the writing
quality (for which I'm not responsible in any case). But if you
think that there's actually something that's unspecified, I
want to know about that.

As for the complexity of TLS, that's what happens when you design
a general protocol. I can pretty much guarantee you that every
part of TLS has been used by someone at one time or anotehr.

> My 64KB demo includes the server, the client, all the crypto [including
> a full RSA implementation] and the LibTomNet protocol.  I could make
> the demo smaller by manually trimming LibTomCrypt.
And we got SSLv2 and v3 in <100 kb without trying particularly
hard, using BSAFE, which is enormous. This isn't much of an argument,

> Not only is my code way smaller than a compliant SSL library but it is
> also simpler.  There are only eight functions in LibTomNet and of
> LibTomCrypt you only need a half dozen at most [setup the prng, RSA key
> gen, export/import].  In otherwards my code is [should be] very easy to
> work with since there is a minimum of clutter to get in the way.
> I mean just download a copy [v0.03 is the latest] and check out the
> demo [demos/ex1.c]!
> At anyrate LibTomNet is not an SSL replacement.  It's a library for
> developers who need simple to work with secure sockets.
This striked me as quite confused. What makes developer's lives
simple is simple APIs, not simple implementations. 


[Eric Rescorla                                   ekr at]

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list