[Vm-dev] Re: SqueakSSL fixes
Ron Teitelbaum
ron at usmedrec.com
Mon Feb 17 20:58:20 UTC 2014
> From: Paul DeBruicker
>
>
> Hi Ron,
>
> I agree with everything you said. Its my undesrtanding that the use of the PRNG
> data will be for things like the Seaside specific _s session keys and _k callback
> keys and cookies. Not any kind of secure streaming protocol.
> Since SqueakSSL now ships with Eliot's vm and the pharo vm it seems like a
> convenient, better source than the Random class on those platforms.
>
> Thanks
>
> Paul
>
I guess the risk is that the PRNG is not SSL and I would hate to risk confusing developers about why it is there. Simple is definitely best where Cryto is concerned. Did you look at Croquet plugin? It has everything you need you could just pull the PRNG part out and ship it with a new PRNG plugin.
Ron
>
>
> Ron Teitelbaum wrote
> >> From: Paul DeBruicker
> >>
> >>
> >> Göran Krampe wrote
> >> >
> >> > ...phew. Ok, let me know if you need anything more and ask questions.
> >> >
> >> > regards, Göran
> >>
> >>
> >> Hi Göran,
> >>
> >> On the Seaside Dev list there was a discussion about accessing
> >> RAND_bytes from OpenSSL via the SqueakSSL plugin for secure key
> >> generation. Is that something that would be possible to add to the
> >> SqueakSSL plugin at this time?
> >>
> >> The discussion is here:
> >>
> >> http://forum.world.st/Seaside-Security-td4742433.html
> >>
> >
> > Hi Paul,
> >
> > I may be missing something so maybe you could answer a question for me.
> > The best cryptography is the simplest for developers to implement. I
> > understand wanting to provide crypto components, that's what we did
> > with the Cryptography Team. SqueakSSL is a much better solution for
> > adding security to end user (developers) of seaside. The reason for
> > this is that all of the technical details are left for the
> > professionals. SqueakSSL uses OpenSSL on Linux and the windows
> > security implementation on windows, and the apple security
> > implementation on mac. You really can't get better than that.
> > SqueakSSL eliminates your need for PRNG, since it is used and
> > implemented properly on each platform. So given that, why do you need
> > PRNG? If you are implementing your own secure stream, you had better
> > know what you are doing, in which case PRNG becomes less of an issue, since
> there are a lot of platform specific solutions.
> >
> > If you are sure you need it we did one in Cryptography which might be
> > useful. If you really feel like you need a proper platform specific
> > random generator see the Croquet plugin and TCryptoRandom.
> >
> > Also if you are planning on using SSL on a Linux server I would highly
> > recommend using STUD.
> >
> > All the best,
> >
> > Ron Teitelbaum
> >
> >>
> >> Thanks
> >>
> >> Paul
> >>
> >>
> >>
> >> --
> >> View this message in context: http://forum.world.st/SqueakSSL-fixes-
> >> tp4743244p4744392.html
> >> Sent from the Squeak VM mailing list archive at Nabble.com.
>
>
>
>
>
> --
> View this message in context: http://forum.world.st/SqueakSSL-fixes-
> tp4743244p4744443.html
> Sent from the Squeak VM mailing list archive at Nabble.com.
More information about the Vm-dev
mailing list