LibTomNet [v0.01]
M Taylor
mctylr at privacy.nb.ca
Tue Jul 8 16:18:53 EDT 2003
On Tue, Jul 08, 2003 at 12:19:54PM -0700, Eric Rescorla wrote:
> tom st denis <tomstdenis at yahoo.com> writes:
>
> > > My logic is that if you're going to create something new, it should
> > > be better than what already exists. There is precious little
> > > evidence that libtomnet fills that bill.
> >
> > LibTomNet has eight functions and one data type in the API. To a
> > complete stranger that is a nice welcome change than say all the
> > constants, functions, structures in SSL.
>
> As I said before, the problem here isn't SSL. Rather, it's the way
> that OpenSSL does things. Now, it would be a real contribution for
> you to write a simple wrapper for OpenSSL. I've seen people do stuff
> like that, but it's generally too custom for general use.
stunnel (www.stunnel.org), which is an "universial SSL wrapper".
So perhaps Tom could could write a EZ-OpenSSL wrapper, which remove
legacy options (disable SSLv2 and SSLv3, just TLSv1), limit algorithm
choice to sensible defaults, and ensure the programmer has as decent
as available random numbers.
Or rewrite LibTomNet to match the basic PROTOCOL concepts of TLS, without
the legacy compatability, and reduce/remove algorithm negotation, etc. No
need to actually be compatible with TLS, just to use the same protocol
concetps.
Until Tom's libtomnet known/tested is secure from all known attacks on
SSL/TLS, he should refrain from calling it 'secure' since he cannot be
reasonable certain that it is in fact secure.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list