[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Notes from Conversation with Roger




 George Danezis <gd@theory.lcs.mit.edu> wrote:
>
> Questions:
> - How easy it is to hack OpenSSL to add a new record type, and define how 
> it should be processed? (nick?) Are there any hooks to the library that 
> would allow us to do this without getting our hands dirty?
> - Can we hack it cleanly without modifying any of the standardized parts 
> (I guess this is a question for me!)

I don't know the answer to this question.  I'm willing to figure it out if need 
be.

> - How do people feel about the above choice between custom made vs. SSL? 
> (no commitment - just feeling)

I think I prefer custom.  By the way, we did a custom encryption protocol for 
Mojo Nation, which is still present in EGTP.

To me the primary advantage of TLS is that it is standardized and implemented.  
If we have to tweak it then we lose this advantage and run afoul of one of its 
disadvantages: that it is more complex than we need.

Another disadvantage of TLS is that it needs interactive sessions which means it 
can't easily be layered on top of non-connectiony substrates like HTTP, EGTP, or 
e-mail.

Such layering would be useful, for example, to bypass national firewalls such 
as those employed by many Asian and Arab nations, not to mention corporate 
firewalls.

This doesn't matter at first since we're just using TCP, so I'm willing to 
ignore the issue for now.  Thus I end up with a lukewarm vote: I think I'd 
prefer a custom protocol which could be simpler and more directed at the 
anonymity goals.

Regards,

Zooko

---
                 zooko.com
Security and Distributed Systems Engineering
---