On Tue, 10 Jun 2014 12:14:46 -0600 Theo de Raadt <dera...@cvs.openbsd.org> wrote:
> > I was reading stuff in misc@ about OpenSSL broken things. I see > > people from OpenBSD started LibreSSL project and they are forking > > OpenSSL and remove the bad code. This is past, but I see more and > > more lesions are discovered. It may be a stupid question, but > > having all these, isn't more efficient to start LibreSSL from zero? > > Impossible. > > The OpenSSL API was built up through accretion over almost 2 decades. > It is fat, bloated, repetitive, and tricky. In general, application > authors have chosen to use the first API's they spot which provide the > functionality they need. As a result, almost all of the bloated API > is potentially used in the greater ecosystem. > > It is quite simply impossible to reinvent this particular wheel. Any > effort to reinvent it would be highly incompatible. Features and > warts are too closely coupled. wouldn't it be a feature? less warts, less bugs, less features, less compatible, but secure? how many ciphers do we need, to retrieve websites/mails over a secure channel? (i'm not a crypto guy, would love to get an answer. my bet: 1). are exotic 1995 devices really worth the trouble? regards, chris
