At 10:57 PM +1300 1/8/08, Peter Gutmann wrote:
As invariably happens with these things, there are a pile of off-list private threads going on that look at this. I thought the following comment was rather interesting, since I'm currently responsible for stirring things up :-) I've forwarded it with the author's permission. Peter. -- Snip -- Stephen Kent <kent@xxxxxxx>:I do not agree with the suggestion that we should back off on what constitutes good practice just because a specific piece of (open source) software has limitations in what it supports relative to the standards it purportedly implements."do not agree that we should back off ... good practice just because open source software has limitatioms..." - Well what about PKIX's non-use of modern ASN.1 for almost ten years due to "no freeware modern ASN.1 compiler available"?? Sigh. Talk about inconsistency.
These are not inconsistent statements, Peter.Russ argued for some time that we ought not move to the newer ASN.1, which offered minor improvements in expressive ability, when the only open source ASN.1 compilers were for the older version. He is now making a similar argument about the importance of open source software and adoption of PKI technology, using OpenSSL as the exemplar.
In the case of ASN.1 compilers, there were several options available to implementers, and more than one of them was very good. (One was commissioned by the U.S DoD and made available for use in systems provided to them.) In the case of OpenSSL, it is regarded as the de facto open source crypto and cert processing software, and it has had numerous errors. So, while I agreed with Russ's position on ASN.1, I am less sanguine with suggestions that we tailer our view of what constitutes good practice based on OpenSSL capabilities.
Steve