Should we settle on one SSL implementation?
Steve Grubb
sgrubb at redhat.com
Tue Oct 23 12:46:24 UTC 2007
On Monday 22 October 2007 19:03:46 Thomas M Steenholdt wrote:
> Bernardo Innocenti wrote:
> > It would seem a worthwhile goal to unify SSL/TLS
> > implementations like we did for spell checkers.
> > Or, if it turns out to be too hard, at least it would
> > be nice to their pki files.
>
> I really don't think its our job to decide which SSL implementation is
> used by the various different projects.
You are right, we don't want to decide anyone's preference. What we need to
accomplish is adding another choice for projects. This way it can be compiled
against either gnutls/openssl/home brew crypto, or NSS which is FIPS-140-2
certified and has all the right interfaces for central configuration control.
> Those projects have already chosen which implementation they prefer - It's
> not for us to decide.
And the reason why they chose what they did varies with each project. It could
be that they never considered NSS because its not talked about very much or
they don't realize its FIPS-140-2 certified, or maybe they just didn't care.
But there are enough users out there that really want to see certified crypto
or they can't really use it in their setting.
> Also, Fedora aims to be as close to upstream as possible, so unless we
> can convince the project to change their preferred SSL implementation,
> I'm all for simply leaving it alone.
That is what we want to do. We want to help upstream projects add choice. We
want to find out what the rough spots are for NSS and improve its
documentation and API so that we can use it everywhere.
-Steve
More information about the fedora-devel-list
mailing list