[Security-sig] Unified TLS API for Python
Cory Benfield
cory at lukasa.co.uk
Thu Jan 12 14:39:59 EST 2017
I agree with Christian and Donald (unsurprisingly).
The key thing to note is that we can extend this API as time goes on and we get a better understanding of what's happening. And any application that is doing hot TLS config changes is likely not going to be agnostic to the concrete TLS implementation it uses anyway, given that many implementations won't be sensibly able to do it.
I'm not even sure about the specific API we're using for SNI: I might just want to restrict it to emitting new certificates.
Cory
> On 12 Jan 2017, at 19:29, Donald Stufft <donald at stufft.io> wrote:
>
>
>> On Jan 12, 2017, at 2:13 PM, Christian Heimes <christian at cheimes.de> wrote:
>>
>> Let's keep it simple. We can always define an enhanced superset of the
>> TLS ABC later. But we cannot remove features or change API in an
>> incompatible way later.
>
>
> I think the server side stuff makes sense, it’ll be important for projects like Twisted and such and isn’t really *that* much more effort. Getting too lost in the weeds over advanced features like hot-config-reload I agree is a bad use of resources.
>
> —
> Donald Stufft
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/security-sig/attachments/20170112/32eefaf9/attachment.html>
More information about the Security-SIG
mailing list