Marsh Ray <[email protected]> writes: >Right, so one of the lessons learned here was that if IETF had considered >APIs and not just protocols those bugs in TLS would have been found long ago.
A pen-tester I know once found a (fairly serious) security hole under the influence of (equally serious) pharmaceuticals, but I wouldn't recommend the IETF adopting that as a design strategy, just as I'd be pretty terrified of the result of the IETF trying to standardise a crypto API. If you look at the history of all the widely-used crypto APIs: Crypto API designed by an individual or a single organisation: CryptoAPI: A handful of guys at Microsoft PKCS #11: Someone at RSA (I've heard different stories). JCE: A couple of guys at Sun. OpenSSL: Using the term "designed" very loosely :-), Eric Young and Tim Hudson. Crypto API designed by a committee: QED, I think. Peter. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
