On 08/14/2013 10:45 AM, Daniel Jackoway wrote:
Hi all,With the guidance of Trevor Perrin (cc-ed), I have put together the beginnings of a patch to allow clients of the NSS library to implement support for arbitrary TLS extensions. The motivation is to allow clients of NSS to implement new proposals that bolster the CA trust model, such as TACK[1] and Certificate Transparency[2]. However, the goal is to make a broadly-useful patch allowing for a wide array of TLS extensions. I have the beginnings of the patch on GitHub[3]. It is not done, but the major functionality is more-or-less all there. There are still some needed changes that I know aren't implemented, a number of test failures I need to hunt down, and a number of style problems. But I'm getting close, and for some of what I still need to do (especially defining some parts of the public interface), feedback would be very useful. So I'd love to hear any feedback and guidance, as well as any concerns that might prevent this from eventually getting committed. I'm happy to take feedback anywhere; GitHub may be the best place for line-level code comments since it has a nice interface for that, but I'd guess the list is a better for high-level discussion. I'm also happy to open an issue on bugzilla, but I thought it might be better to wait until the patch is functional. Thank you, Daniel
First I was excited because I thought it was something I wanted to get into NSS for a while (dynamically adding cipher suites... though that probably causes problems for Brian's attempt to standardize on cipher suites).
That being said, Adding dynamically added extensions sounds like a reasonable addition. The main question that comes to mind is:
Are you adding the extensions programmatically (that is an application can add extensions by making various calls to do so) or are you adding extensions dynamically through some sort of configuration. Both are useful, though the latter may be more interesting.
Also, NSS lives in the mozilla Hg repository, The NSS team usually share uncommitted patches through bugzilla as straight patch files. This let's the team members use the tools they prefer to review them..
bob
[1] http://tack.io/ [2] http://www.certificate-transparency.org/ [3] https://github.com/jackowayed/mozilla-nss/pull/1
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
