MJ [m...@sci.fi] wrote: > > On 16 Jan 2014, at 19.17, Chris Cappuccio <ch...@nmedia.net> wrote: > > OpenBSD has already began incorporating NaCl by bypassing OpenSSL entirely. > > Good news - perhaps my philosophy is ?why lay a lot of small bricks here and > there when you can lay a cornerstone and be done with it??. But perhaps I am > not taking all things into consideration. >
OpenSSH is a project that gets used outside of OpenBSD so the way NaCl was incorporated makes sense to me... It allows OpenSSH to evolve the SSH standard with a minimum of fuss and contention. How new crypto primitives get incorporated into the rest of the system depends on how the people who work on those systems see things. > > > I can't speak for the architectural issues but I can't imagine that I or you > > are the only people imagining better cipher suites in the base system. > > You are certainly right - that would be just naive. The OpenBSD approach to > things is generally to make the interfaces as simple as possible, drop-dead > simple. This eliminates configuration mistakes. Take OpenNTPD for example - > it?s simply beautiful what has been done with the configuration interface. > > A systemwide autocipher engine device could easily be incorporated directly > in to PF, no? block all cipher hmac-sha1 (for example). > Block traffic with specific ciphers from traversing the network? That's sci.fi