On Tue, May 28, 2013 at 09:11:13PM -0700, Bry8 Star wrote:
> I would agree completely, these addons have many more bugs and far
> from perfect. Even in "3 s m" or "2 s m" detection & verification,
> not very consistent yet.
You are much more charitable to major design and implementation
flaws than I am willing to be.
> So very likely internal source-codes are tuned for limited TLSA
> cases only.
Why promote the use implementations that don't even correctly
implement the subset of parameters they set out to support?
> It would have been great, if those two addons could show cert chain
> or debug info on which exact certs or chain of certs these addons
> have checked/verified.
IMHO it would have been even better if at least the one I read was
never released to the public. Don't confuse the feature set with
the implementation.
How do you know they do what they claim to do? Be skeptical of
new implementations of security mechanisms (including mine). They
need to be thoroughly vetted before they are fit for use by the
public.
> And if those two addons are further improved for using with
> Thunderbird for _993 , _995 , _25 , _465 based services then that
> would have been very helpful. Currently those two addons do not
> understand those DNS RR.
More flawed security code used more broadly is not progress.
Yes, there should be multiple implementations, but not very many.
Security libraries and plugins need to be written with above average
attention to detail and must stand the test of time. The design
should be feature complete and generally correct, before any code is
written.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
