[Security-sig] Unified TLS API for Python: Round 2

Christian Heimes christian at cheimes.de
Sun Jan 22 12:16:18 EST 2017


On 2017-01-22 18:01, Wes Turner wrote:
> 
> 
> On Sunday, January 22, 2017, Cory Benfield <cory at lukasa.co.uk
> <mailto:cory at lukasa.co.uk>> wrote:
> 
> 
>>     On 22 Jan 2017, at 16:23, Wes Turner <wes.turner at gmail.com
>>     <javascript:_e(%7B%7D,'cvml','wes.turner at gmail.com');>> wrote:
>>
>>     Looking at the GnuTLS manual [1], I see a number of potential
>>     additional configuration parameters:
>>
>>     - session resumption (bool, expiration time)
>>     - Trust on first use (SSH-like)
>>     - DANE [2]
> 
>     Remember that the goal of this API is not to support every
>     configuration option supported by 1 or more concrete
>     implementations. The goal of this API is to support the common
>     superset of the most-used APIs as needed for TLS. TOFU at the TLS
>     level is not in that scope. DANE is not widely supported. 
> 
> 
> - OpenSSL 1.1.0 supports DANE 
> - GnuTLS supports DANE
> - AFAIU, neither SChannel nor Secure Transport yet support DANE
> 
> So, in order to support e.g. DANE, where would the additional
> backend-specific configuration occur?

DANE is irrelevant for PKI and suffers from the same issue as OCSP
requests. Melinda is working on a IETF standard for DANE stapling. For
TLS API 2.0 we can talk about OCSP stapling, EV and CT. For the first
iteration, any advanced feature is out of scope.

Please remember, all features have to be implemented for at least four
wrappers (Python ssl, cryptography for PyPy, SChannel and
SecureTransport). Let's not get ahead of ourselves.

Christian


More information about the Security-SIG mailing list