Ian Grigg wrote on Wed, 10 Mar 04, 7:43 PM:
So, 4. is out. Sorry, SSL guys, it's just too hard.
Actually, that was a throwaway remark, it applies as well to SSH libraries as anything, which have also been criticised as too hard.
>> Then, 3. is easily dispensed with, as
those wunderkinder just don't exist.
Which leaves 1 or 2: Nothing or somthing really quick and dirty, and probably only somewhat secure.
This is the SSH story. SSH 1 was widely thought to be pretty loose. What happened? It succeeded, partly because the author didn't worry overly about having perfect crypto - he rocked on ahead with something that was "ok".
This seems like a very narrow view of the world.
I suggest it to be empirical - based on looking back at what happened.
> By just about any reasonable metric SSL is hardly a failure compaired to SSH. SSH will not be a wide success outside a few technically competant people because it is not easy to use.
See comments in mail to Julien on that fascinating question of what makes a successful crypto protocol.
The argument that "quick and dirty and we will
> fix it later" is an extention of the adage > "weak security is better than no security".
Sure. I would clarify that I'm not offering my opinion on whether this is a good thing or not - I'm just saying that a) this is what is happening, and b) it will happen regardless of what we security people want to happen.
I'm suggesting that this is reality, and the old story of "must use strong crypto and full secure protocols" and all that good stuff is simply not reality. We may agree that your way is nicer, but how relevent is it?
...
The cost of learning how to include SSL is no
> harder than the cost of learning UI API's. You > could always start your app with some simple > line drawing, and let it develope as people > hand draw buttons, etc. The problem is your > app will not be able to play in the existing > infrastructures. In the long run your app will > take more time to develop, have weird bugs, but > hey you didn't have to learn how to use the > Microsoft Windows system, or Motif widgets, or > Mac Interface builders.
Funnily enough, people who've overcome the cost of learning how to program GUIs often decide not to learn how to code SSL, and v. versa. It may well be that it is no harder ... but that doesn't seem to be sufficient.
iang
PS: personally, I think learning crypto and APIs for crypto is way easier than learning UI APIs. But that's just me. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
