On 16 Jan 2014, at 18.23, Chris Cappuccio <ch...@nmedia.net> wrote: > For instance, you may have noticed that OpenSSH is moving towards an > openssl-free mode by importing NaCl components directly? > > One problem with abandoning OpenSSL is that you lose SSL, TLS, (oh, and > everything has to be rewritten to use NaCl, and is now incompatible with > everything else.) So what you see with OpenSSH is the first attempt at > doing this, and it will only be compatible with other people also using > new OpenSSH. > > The issue is compatbility.
Thanks Chris for your response and yes, you make a good point regarding compatibility. I am by far a crypto expert, but these issues have been anyway on my mind as of late. So bear with me, but would it be possible to switch /dev/crypto to be an interface to an autocipher engine where both OpenSSL and NaCl ciphers could be supported via e.g. /etc/autocipher.conf and then change all crypto-enabled apps to use /dev/crypto and only /dev/crypto as the interface? This approach could highly simplify the crypto operations in all of the associated daemons/tools included in Base, as well Ports could slowly converted to use the same interface. This is precisely the approach that is being taken in Ethos operating system which is being designed from the ground up to withstand cryptographic attack. Given the current status quo (widespread compromise of our computing base by 3 letter agencies), this starts to sound a bit less paranoid of an approach. Or have I got something wrong? Again, I am open to any sort of response. -mike
