[bind10-dev] [sprint planning] estimate result discussion for sprint ending 2013-03-19
Carsten Strotmann
carsten at strotmann.de
Tue Mar 5 11:20:50 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Brett,
Brett Wynkoop wrote:
>> #2822 (remove dependecies to OpenSSL, use Botan instead)
>
>> As someone else also suggested, perhaps it should be the other way
>> around (which, tbh, seems easier)
>
> I would prefer no botan and use openssl instead. OpenSSl is much
> more common on systems than Botan, so it would be one less thing for
> the end customer to fight with as a pre-req.
>
Using Botan in BIND 10 has the benefit of reducing a security software
monoculture. A lot of other security related software builds on OpenSSL,
including BIND 9. If there would be a serious bug discovered in OpenSSL,
it would have a major effect.
I like the choice of Botan in BIND 10 for this reason.
But BIND 10 should only require one crypto library.
If I understand correctly, Francis Dupont proposed a plug-able PKCS#11
interface where the actual crypto "engine" (Botan, OpenSSL, HSM) can be
changed. That would be a very flexible solution if that can be done in a
way that is not too complex (as complexity hurts security).
- -- Carsten
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlE11RIACgkQiDbv+TR5q6JaewCcDDcnPo7anJPNFc3IWzmXKKMm
smAAoJ8KozEpLVJGKiQe7MIpOFwIjW4v
=0H8c
-----END PGP SIGNATURE-----
More information about the bind10-dev
mailing list