Hi all--

Thanks for everyone’s comments about this—I think the discussion has been 
really illuminating.

Right now, what I’m working on is updating some TLS statistics using 
https://github.com/mozilla/cipherscan <https://github.com/mozilla/cipherscan> 
(it’s taking a bit longer than I’d originally anticipated). Based on my current 
results (~50k sites), over 7% can only use TLS1 or lower. This means that, at a 
minimum, rustls would need need to implement TLS1 and 1.1 in addition to 1.2 
(and eventually 1.3) in order for Servo to use it. I’m not quite sure what the 
bar should be for deciding that it’s okay to not support legacy protocols, but 
I definitely think that 7% is too high. In my opinion, web compatibility should 
be a goal of Servo.

I’d also like to draw a distinction between ring and rustls (or any other Rust 
TLS implementation) . As far as I’m aware, ring implements cryptographic 
primitives, but not cryptographic protocols. The protocols can then be built on 
top of ring, as is the case with rustls. For what it’s worth, I think that this 
is the right design approach. Rustls is brand new and is explicitly not 
feature-complete enough for web compatibility. It’s a noble goal to only want 
to implement ‘good’ crypto, but it’s not very practical.

I get really excited about Rust crypto. Personally, I think that Rust is a 
great language for implementing crypto, and I think that there will be a place 
in Servo for it. However, the way that I’ve looked at Servo is as a “practical” 
research project—yes, it's doing cutting edge research, but it also should work 
well and securely for web browsing (maybe embedded applications, etc). Because 
of this, I still think that it’s best to start with a wrapper of mainstream 
crypto.

One thing I’m also looking at is how it could be possible to make the Servo 
crypto library interchangeable via traitization (I might be making up words 
now). That way, people who want to use Rust crypto can do so, and people who 
would prefer a wrapper of a more established library can do that. Whatever 
Servo uses today doesn’t have to be the “final” decision (for whatever 
definition of final you prefer, I guess).

Regarding webpki—I don’t think I can disagree with Brian (since he’s definitely 
the expert). I also don’t know of any additional options other than webpki, so 
maybe adopting webpki is something that Servo should look into more. 

Diane | avadacatavra


> On Aug 28, 2016, at 19:22, adela...@gmail.com wrote:
> 
> Hi,
> just want to point that using independent Rust libraries may be good to avoid 
> problems like this: https://github.com/sfackler/rust-openssl/issues/255
> 
> Adelar
> _______________________________________________
> dev-servo mailing list
> dev-servo@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-servo

_______________________________________________
dev-servo mailing list
dev-servo@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-servo

Reply via email to