>>>So in practice, I _have_ to use a CA that is built into all major browsers.
>>You're assuming a lot here. Perhaps TLS is broken for all the uses you're >>interested in - that doesn't mean it's broken for everyone else's uses. @Jean-Paul: Granted .. good catch. My interest is the Web/browser, and also non-browser clients working in a Web-compatible way. >Tobias, all of the things you've said here about browser UI, enterprise >networks, and key management tooling are true; however, note that none of >those nouns are "TLS". @Glyph: I agree: "browser UI" is formally unrelated to TLS I (mostly) agree: locked down enterprise networks are orthogonal to TLS - formally. And the "key management" system being ortho to TLS: a very good point. The problem is X.509, and TLS today uses only that, but it is capable of using different schemes in principle. I did some further looking around: turns out there is TLS-PGP http://tools.ietf.org/html/rfc6091 Does someone know whether OpenSSL supports that? [Sidenote: if not, one more reason why a pure Python TLS implementation (then with RFC6091) would rock. The other reason being the total awesomeness of the OpenSSL codebase;) And the third: PyPy.] > 1. Write some code that uses TLS (which is a wire protocol, after all, not a >trust model or set of trust roots, nor a key management UI) and addresses >these issues, by implementing a new trust model, protocol for exchanging trust >roots, or key management UI, and selecting appropriate ciphers. > 2. Write some code that uses a brand new wire protocol with unknown, >unaudited security properties, also implementing appropriate ciphers, and also >implementing all of the things in point 1. >One of these options seems obviously superior to me :-). Yeah;) 1) => RFC6091 >>*This* is probably now sufficiently off-topic, though... >Man, are there some kind of Topic Police everyone is worried about? Do I need >to start taking extra precautions when I write to mailing lists? :-) Got it. It's just that different communities have different social codes. But it's good that Twisted has no "Topic Police". I like that .. term and fact;) >I think this is on-topic enough, since this might inform TLS work with Twisted >in the future, and Vertex has been brought under the Twisted umbrella >recently, https://github.com/twisted/vertex and it seeks to provide a >different trust model with TLS and Twisted. Is there any intro / architecture document? I'd like to read more .. /Tobias _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
