I agree with Christian and Donald (unsurprisingly).

The key thing to note is that we can extend this API as time goes on and we get 
a better understanding of what's happening. And any application that is doing 
hot TLS config changes is likely not going to be agnostic to the concrete TLS 
implementation it uses anyway, given that many implementations won't be 
sensibly able to do it.

I'm not even sure about the specific API we're using for SNI: I might just want 
to restrict it to emitting new certificates.

Cory

> On 12 Jan 2017, at 19:29, Donald Stufft <don...@stufft.io> wrote:
> 
> 
>> On Jan 12, 2017, at 2:13 PM, Christian Heimes <christ...@cheimes.de> wrote:
>> 
>> Let's keep it simple. We can always define an enhanced superset of the
>> TLS ABC later. But we cannot remove features or change API in an
>> incompatible way later.
> 
> 
> I think the server side stuff makes sense, it’ll be important for projects 
> like Twisted and such and isn’t really *that* much more effort. Getting too 
> lost in the weeds over advanced features like hot-config-reload I agree is a 
> bad use of resources.
> 
> —
> Donald Stufft
> 
> 
> 
_______________________________________________
Security-SIG mailing list
Security-SIG@python.org
https://mail.python.org/mailman/listinfo/security-sig

Reply via email to