Re: FIPS certification for openssl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> My number one complaint is that it seems like the defaults are generally set up to do the wrong things, and the application has to either explicitly set "yes, you should be secure" options or do stuff on its own.  This seems to have been getting better - gaining hostname validation, for instance - but really a client should be able to say "give me a secure connection to host:port" and have sensible and secure things happen with a single call.  Maybe two, one to create a handle and the other to actually set up the connection (to allow for intervening calls that customize the connection).

I agree with you, but a problem is that “safe and secure” changes over time when new  crypto and other new features are added. And then users get upset when their connections no longer work.

I think the right approach is to be able to specify a policy, then at least you know what you’re signing up for. Right now it’s a collection of low-level things.  And the policy is “SECLEVEL” which ain’t great.

 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux