Subscribe: Comments on: I got yer crypto right here
http://shaver.off.net/diary/2005/09/20/i-got-yer-crypto-right-here/feed/
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
bob lord  fips validation  fips  mozilla org  mozilla  nss  org  projects security  red hat  security pki  security  ssl  validation  widely 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Comments on: I got yer crypto right here

Comments on: I got yer crypto right here



noise from signal



Last Build Date: Thu, 10 Nov 2011 07:05:56 +0000

 



By: Remy

Thu, 22 Sep 2005 01:04:03 +0000

@i5mast: > I think it is the most widely tested SSL implementation. I can't agree with you there. It has been around for longer, but it is not the most widely used/scrutinized SSL library.

@Bob Lord:

I am not doubting any of what you are saying. I comend Netscape for inventing SSL. My point was that OpenSSL has so far been the only SSL/TLS solution for Apache, and known to be of high quality. What benefit would there be in my switching to NSS from the widely used OpenSSL module? What advantages are offered to warrant a parade?

It seems to me that with wider adoption of NSS, we will be flooded with new advisories from security researchers, with administrators having to scramble to update mod_nss on a regular basis.




By: Bob Lord

Wed, 21 Sep 2005 16:02:20 +0000

As i5mast mentioned, NSS is a descendant of the original SSL libraries. It's used in products from Sun, Red Hat, Mozilla and others. Here's a good over view of NSS: http://www.mozilla.org/projects/security/pki/nss/overview.html

In terms of review, NSS has also undergone FIPS 140 validation (a U.S. government standard) conducted by a 3rd party testing lab. See http://www.mozilla.org/projects/security/pki/nss/fips/ We are refreshing our FIPS 140 validation, and are posting all of our working documents on the web. That way if another vendor wishes to obtain FIPS 140 validation of NSS for a different platform, or for a different release of NSS, they may do so at a much reduced cost (it's very expensive in terms of time, and money). See http://wiki.mozilla.org/FIPS_Validation

Since we maintain the NSS crypto module of Mozilla, several Red Hat products, etc. it's easier for us to also have a version of the crypto libraries that we know and maintain. It's not going to be right for everyone, and it's still a very early release. But we thought we'd contribute it and invite people to help build it out, to inspect the code, test it, or contribute in whatever way they see fit.

-Bob Lord (Pointy haired engineering director from Red Hat)




By: i5mast

Wed, 21 Sep 2005 15:07:05 +0000

NSS is the granddaddy implementation of SSL. Remember that SSL was invented at Netscape. I think it is the most widely tested SSL implementation.




By: Remy

Wed, 21 Sep 2005 04:58:23 +0000

Ok, what benefits are there to using NSS over OpenSSL, which has been tested and known to be efficient/reliable in heavily multi-threaded apps? And I'm not sure how much community review has gone into testing NSS for security vulnerabilities. Perhaps you can elaborate on this.




By: David Ascher

Tue, 20 Sep 2005 23:29:04 +0000

Is there any parade-worthy benefit to folks not using NSS-enabled technology currently?

Cluelessly yours,

--david