On 21/07/14 14:44, Samuli Seppänen wrote: > Although we probably can all agree > that the state of OpenSSL leaves a lot to be desired, it's now funded by > the Core Infratructure Initiative: > > <http://www.linuxfoundation.org/programs/core-infrastructure-initiative> > > I don't know if money (=few full-time developers) can save the can of > worms, but probably we should not panic quite yet. Opinions?
No libraries are perfect. OpenSSL is also far from perfect. But I think the press and the OpenSSL-haters have abused their screen time somewhat much too. So, I would say: No need to panic. It takes long to really build confidence in a crypto library, just like the math behind cryptographic functions. Currently, PolarSSL is more attractive because of the smaller code base (but also less support for features OpenSSL have). So PolarSSL is easier to do a proper code review on. But also bear in mind that PolarSSL had their first releases around early 2009. OpenSSL was released mid/late 1990's. The age difference is 10 years(!). I more strongly believe we will have a more secure world if it is more unpredictable which SSL implementation is being used. So I welcome PolarSSL very much, and I believe that just their _presence_ and being used by some of our users are important. Just as well as I'd like to see someone looking at an NSS implementation in OpenVPN. -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
