crypto consolidation status?

Robert Relyea rrelyea at redhat.com
Mon Sep 28 22:05:25 UTC 2009 

On 09/27/2009 07:17 AM, Gregory Maxwell wrote:
> On Sun, Sep 27, 2009 at 1:44 AM, Ken Dreyer <ktdreyer at ktdreyer.com> wrote:
>   
>> I read the wiki page[1] on Fedora's effort to consolidate all the
>> crypto libraries. Quite an ambitious task! FWN [2] reported on the
>> rather large discussion back in '07, but I didn't see any resolution.
>> Is this still a goal for Fedora? The main wiki page hasn't been edited
>> in almost a year (although the scorecard is still being maintained).
>>
>> The reason I bring all of this up is that Server Name Indication has
>> recently been implemented into httpd's mod_ssl, but SNI is not present
>> in mod_nss[3]. If we abandon mod_ssl for mod_nss, we would lose this
>> functionality.
>>     
> [snip]
>
> Is this even a fair and reasonable goal unless the NSS upstream is
> really interested in becoming a superset of the functionality offered
> by the other crypto libraries?  (I don't know for surethat NSS' goal
> is not to— but I think thats unlikely. It's hard to even start a
> comparison because NSS doesn't appear to have developer documentation
> covering low level cryptographic functions)
>   
That is basically the goal. For the most port NSS is already there,
though there is stuff in NSS, like server side SNI which hasn't been
implemented.
> Is it reasonable when other package upstreams may not find the
> licensing of NSS to be acceptable (i.e. an upstream which is 100% BSD
> for it and all its dependencies), or would prefer not to use NSS for
> stylistic reasons— Would fedora carry patches for these applications
> in perpetuity?
>   
Why would a 100% BSD package have problem with MPL?
> It's not even clear to me what exactly some of these goals mean i.e.
> "Get a cert using Firefox, use it in SSH" when ssh doesn't (normally)
> use X.509 certificates.
>   
This is actually a problem for some customers;).

bob


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3420 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20090928/f86624bb/attachment.bin

More information about the devel mailing list