MJ [m...@sci.fi] wrote: > > Thanks Chris for your response and yes, you make a good point regarding > compatibility. > > I am by far a crypto expert, but these issues have been anyway on my mind as > of late. So bear with me, but would it be possible to switch /dev/crypto to > be an interface to an autocipher engine where both OpenSSL and NaCl ciphers > could be supported via e.g. /etc/autocipher.conf and then change all > crypto-enabled apps to use /dev/crypto and only /dev/crypto as the interface? > This approach could highly simplify the crypto operations in all of the > associated daemons/tools included in Base, as well Ports could slowly > converted to use the same interface. This is precisely the approach that is > being taken in Ethos operating system which is being designed from the ground > up to withstand cryptographic attack. Given the current status quo > (widespread compromise of our computing base by 3 letter agencies), this > starts to sound a bit less paranoid of an approach. > > Or have I got something wrong? Again, I am open to any sort of response. >
OpenBSD has already began incorporating NaCl by bypassing OpenSSL entirely. I can't speak for the architectural issues but I can't imagine that I or you are the only people imagining better cipher suites in the base system.