On Thu, Sep 10, 2009 at 06:10:27PM +0200, Dr. Stephen Henson wrote:
> On Wed, Sep 09, 2009, Thor Lancelot Simon wrote:
> 
> > On Sat, Aug 29, 2009 at 05:34:04PM -0400, Steve Marquess wrote:
> > 
> > That this wasn't the obvious approach from the very beginning speaks
> > worlds about the limitations of the ENGINE interface.
> 
> The actual story of why FIPS is the way it is is rather different. I think a
> few home truths are in order on this and some related issues.

I'm not sure what the story of how the current FIPS mode was implemented
brings to bear on the question of whether the limitations of the ENGINE
interface made it unduly hard.

I've been involved in two FIPS validations of vendor versions of OpenSSL.
I think one of them may have been one of the first ones ever done.  I am
aware of how much work you must have done to get things even into the
state they are in today -- though I certainly didn't know it was unfunded.

On the other hand, I think at this point it is not unreasonable to talk
about how design decisions made elsewhere in OpenSSL in the past (and even
in the not-so-distant past) makes this kind of systematic change harder.

>From my point of view, if I were to set out to do a de novo FIPS compliant
version of OpenSSL today, the largest obstacle would be the current
ENGINE interface.  With a more capable interface to ENGINEs, durable
FIPS support would be much easier.  I'm sorry if I've offended you by saying
so, but I can't quite see why -- and I didn't even bring up the subject of
why FIPS isn't an ENGINE in this discussion, one of the OpenSSL developers
did!

On what is largely a separate topic, but an important one:

You complain that commercial entities use OpenSSL but don't fund it.  From
my point of view, it is not hard to understand why: it is usually far easier
to contribute code or development time than cash, but every time I, at least,
have proposed contributing any kind of code to OpenSSL which would involve
a structural change, it's been either ignored or shot down by the OpenSSL
developers.  In several cases developers have privately told me they were
working on somethng else better than what I was offering to contribute --
but then that code mysteriously never showed up in the tree.

So what happens?  Other people responsible for development of vendor
versions of OpenSSL at other commercial shops presumably end up in the
same situation I do: with trees full of private modifications and
enhancements and a great deal of frustration towards OpenSSL itself.  At
this point, having gone hat-in-hand to my management a number of times
asking if I could have my team write (or rewrite) this or that for
contribution to OpenSSL, and then having found that OpenSSL wasn't 
interested or, often, even responsive, I have basically no credibility
left to ask that we contribute _anything_ -- certainly not cash which
will presumably be spent on development priorities which share little
with ours.

This is not a good situation.

Thor
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to