Monoculture

John S. Denker jsd at av8n.com
Wed Oct 1 12:16:40 EDT 2003 

On 10/01/2003 11:22 AM, Don Davis wrote:
 >
 > there's another rationale my clients often give for
 > wanting a new security system, instead of the off-
 > the-shelf standbys:  IPSec, SSL, Kerberos, and the
 > XML security specs are seen as too heavyweight for
 > some applications.  the developer doesn't want to
 > shoehorn these systems' bulk and extra flexibility
 > into their applications, because most applications
 > don't need most of the flexibility offered by these
 > systems.

Is that a rationale, or an irrationale?

According to 'ps', an all-up ssh system is less
than 3 megabytes (sshd, ssh-agent, and the ssh
client).  At current memory prices, your clients
would save less than $1.50 per system even if
their custom software could reduce this "bulk"
to zero.

With the cost of writing custom software being
what it is, they would need to sell quite a
large number of systems before de-bulking began
to pay off.  And that's before accounting for
the cost of security risks.

 > some shops experiment with the idea of using only
 > part of OpenSSL, but stripping unused stuff out of
 > each new release of OpenSSL is a maintenance hassle.

1) Well, they could just ignore the new release
and stick with the old version.  Or, if they think
the new features are desirable, then they ought
to compare the cost of "re-stripping" against the
cost of implementing the new desirable features
in the custom code.

I'm just trying to inject some balance into the
balance sheet.

2) If you do a good job "stripping" the code, you
could ask the maintainers to put your #ifdefs into
the mainline version.  Then you have no maintenance
hassle at all.

 > they want their crypto clothing
 > to fit well, but what's available off-the-rack is
 > a choice between frumpy....

Aha.  They want to make a fashion statement.

That at least is semi-understandable.  People do
expensive and risky things all the time in the name
of fashion.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list