I agree with Christian and Donald (unsurprisingly). The key thing to note is that we can extend this API as time goes on and we get a better understanding of what's happening. And any application that is doing hot TLS config changes is likely not going to be agnostic to the concrete TLS implementation it uses anyway, given that many implementations won't be sensibly able to do it.
I'm not even sure about the specific API we're using for SNI: I might just want to restrict it to emitting new certificates. Cory > On 12 Jan 2017, at 19:29, Donald Stufft <don...@stufft.io> wrote: > > >> On Jan 12, 2017, at 2:13 PM, Christian Heimes <christ...@cheimes.de> wrote: >> >> Let's keep it simple. We can always define an enhanced superset of the >> TLS ABC later. But we cannot remove features or change API in an >> incompatible way later. > > > I think the server side stuff makes sense, it’ll be important for projects > like Twisted and such and isn’t really *that* much more effort. Getting too > lost in the weeds over advanced features like hot-config-reload I agree is a > bad use of resources. > > — > Donald Stufft > > >
_______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
