[openssl-dev] [openssl.org #3992] [PATCH] Allow RFC6962 Signed Certificate Timestamps to be disabled
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Mon Aug 10 16:11:16 UTC 2015
For the sake of brevity I’ll answer to only some of your points (that I
consider relevant to my views or work).
On 8/10/15, 5:44 , "openssl-dev on behalf of David Woodhouse"
<openssl-dev-bounces at openssl.org on behalf of dwmw2 at infradead.org> wrote:
>UEFI is widely mocked for how bloated it is, given that the job of a sane
>firmware is to boot the operating as quickly as possible and then get the
>hell out of the way.
Yes. But skimping on security features is not a good way to deal with
software/firmware bloat. And again, attacks on this layer are increasing
in quantity and sophistication. The current protection mechanisms appear
insufficient. Draw your own conclusions.
>You seem to be suggesting that we build in some cryptographic
>functionality that we admit we have no *idea* how we could sensibly use
>it, and also build in various extended math library routines that are
>currently unneeded but would need a whole bunch of pain for different
>GCC/MSVC/LLVM toolchains and ABIs... just in case we one day work out how
>we might use it.
All that for just one attribute? Of a certificate that you already have to
deal with? I’m missing something, or you’re not correct.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150810/9b7bfefd/attachment.bin>
More information about the openssl-dev
mailing list