I could do an implementation of SSL. Speaking as a programmer with an interest in crypto, I'm fairly sure I could produce a cleanly implemented and simple-to-use version.

I confess I didn't realise there was a need. You see, it's not that it "doesn't seem to excite" [me] - it's just that, well, OpenSSL already exists, and creating another tool (or library or whatever) to do exactly the same thing seems a bit of a waste of time, like re-inventing the wheel. If you can provide some reasonably reassurance that it's not a waste of time, I'll make a start.

But I would like to ask you to clarify something about SSL which has been bugging me. Allow me to present a scenario. Suppose:
(1) Alice runs a web server.
(2) Bob has a web client.
(3) Alice and Bob know each other personally, and see each other every day.
(4) Eve is the bad guy. She runs a Certificate Authority, which is trusted by Bob's browser, but not by Bob.
Is it possible for Bob to instruct his browser to (a) refuse to trust anything signed by Eve, and (b) to trust Alice's certificate (which she handed to him personally)? (And if so, how?)

I am very much hoping that you can answer both (a) and (b) with a yes, in which case I will /definitely/ get on with recoding SSL.

> -----Original Message-----
> From: Perry E. Metzger [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 01, 2003 3:36 PM
> Subject: Re: Monoculture
> We could use more implementations of ssl and of ssh, no
> question.
> However, suggesting to people that they produce more cleanly
> implemented and simpler to use versions of existing algorithms and
> protocols doesn't seem to excite people, although it would be of
> tremendous utility.
> Perry

--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to