> On Jul 31, 2015, at 5:54 PM, Richard Barnes <[email protected]> wrote: > > I have a pretty strong preference for (a), the Rescorla draft. New code is > undesirable in security systems -- better to rely on a known, battle-tested > code base.
The codebase is going to be new anyway. We’re not likely to be able to shoehorn OpenSSL or NSS into the kernel, especially if we end up having the “hard” operations done in a separate daemon (for the profile of TLS that is likely to emerge here, this may not be necessary). > So it seems like a no-brainer to use TLS as the starting point and making the > minimum set of changes needed. We ended up writing our own TLS code, but then we had the full TLS to implement, including certificate validation and RSA signatures, so we had to split things between user-space and kernel. An implementation may opt to perform the diffie-hellman in the kernel, but I still doubt you would be able to use OpenSSL without major modifications. Yoav _______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
