On Thu, Dec 11, 2014 at 6:51 AM, Stuart Henderson <[email protected]> wrote:
> On 2014/12/11 16:42, Dmitry Eremin-Solenikov wrote:
>> 2014-12-11 15:40 GMT+03:00 Stuart Henderson <[email protected]>:
>> > On 2014/12/11 16:08, Dmitry Eremin-Solenikov wrote:
>> >> Hello,
>> >>
>> >> For the historic reasons there is a significant amount of duplicated
>> >> functionality.
>> >> For example one can use openssl rsa/dsa/ec to create/modify 
>> >> private/public keys
>> >> or it's possible to just use a generic openssl genpkey/pkey interface. 
>> >> I'd like
>> >> to suggest to clean up the first set of commands in favour of a
>> >> generic implementation.
>> >>
>> >> What do you think?
>> >
>> > The "old" interfaces are still very widely used, both in text
>> > (books/guides/documentation) on handling keys, and directly used in
>> > programs (to pick a couple: ikectl, easyrsa)
>> >
>> > I dislike having two separate implementations in code that do basically
>> > the same thing so perhaps they could be consolidated somehow, but
>> > think the old command-line options would need to set things up to
>> > call common code and work as before; removing them will cause
>> > widespread difficulty.
>>
>> Should LibreSSL start the process of deprecating them? Add a warning,
>> start updating users and docs?
>
> Good luck!
>
> Google for "openssl genrsa" says "About 108,000 results", the same
> search on github "We've found 40,410 code results".
>

Maybe it would be better to direct energy toward simpler, TLS-focused
app altogether to live along-side the openssl(1) app, in the vein of
libtls?  There certainly would be demand for an app that:

1. makes all modern, common use cases easy and obvious how to use:
   (generate/sign/verify/dump certs, benchmark, netcat-style TLS client, server)
2. uses regular getopt-style arguments
3. makes something like setting up a local CA and generating a
self-signed key as easy as reading the manpage
4. is a good example of library usage and coding style

I believe boringssl has something called 'bssl'.  What about calling
it 'tis'? Maybe I should stop talking about it and get coding (though
don't let me stop you!)...

Reply via email to