On Thu, Feb 07, 2008 at 08:47:20PM +1300, Peter Gutmann wrote:

> Victor Duchovni <[EMAIL PROTECTED]> writes:
> >While Firefox should ideally be developing and testing PSK now, without
> >stable libraries to use in servers and browsers, we can't yet expect anything
> >to be released.
> Is that the FF devlopers' reason for holding back?  Just wondering... why not
> release it with TLS-PSK/SRP anyway (particularly with 3.0 being in the beta
> stage, it'd be the perfect time to test new features), tested against existing
> implementations, then at least it's ready for when server support appears.  At
> the moment we seem to be in a catch-22, servers don't support it because
> browsers don't, and browsers don't support it because servers don't.

I don't have any idea why or why not, but all they can release now is
source code with #ifdef openssl >= 0.9.9  ... do PSK stuff ... #endif,
with binaries (dynamically) linked against the default OpenSSL on the
oldest supported release of each platform... For RedHat 4.x systems,
for example, that means that binary packages use 0.9.7...

Distributions that build their own Firefox from source may at some point
have PSK (once they ship OpenSSL 0.9.9). I don't think we will see this
available in many user's hands for 2-3 years after the code is written
(fielding new systems to the masses takes a long time...).


 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to