Re: Antw: use openssl or moznss for more than TLS?

devzero2000 wrote: FIPS spec is clearly nonsense, from a technical perspective. E.g. it required support of Dual_EC_DRBG random number generator which was proven to be inferior and almost certainly has an NSA backdoor. The Fedora crypto consolidation rationale is completely bogus; in unifying the crypto database across the entire machine it fails to recognize that different services (and different clients) will have completely different security policies and requirements. Of course this is common knowledge for actual security practitioners - servers generally should only recognize and trust client certificates issued by a single CA, while clients generally need to be able to trust many different CAs for a wide range of services. HTTP servers have much different certificate requirements from LDAP/FTP/SMTP servers; almost nobody uses client certificates with HTTP but they are commonplace for many other authenticated services. Of course, the Fedora crypto scene is dictated more by political concerns than technical. https://bugzilla.redhat.com/show_bug.cgi?id=319901 -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/