[Users] Re: [Devel] TLS requirements and some brainstorming (long email)

[Cesc]

Hi all,

A couple of notes i would like to remark ...

* On the "tls name extensions" ... it is indeed needed and it is not
in openSSL.
   I do think we have a strong case for lobbying directly to OpenSSL
core developers ... and i think openSER (and ser) have a rather strong
arm. We could get in touch with the developer of the patch and openSSL
core dev.
   Meanwhile ... the solution of providing the patch ... i see it as
complicated and it won't spread very far, thus limiting the usefulness
... it could be sold as a way of testing the name extension patch and
speed up it's inclusion in openssl ... but until that time, i think we
should focus on other scenarios of openSER-tls.

* Klaus' initial email and scenarios ... I think it is a very
enlightening explanation and it should be included in a tls-faq, but
... i would say that security is a very particular thing, and
different people may wish to do things in a different way, thus we
should provide a flexible solution. In my opinion, a core that sets up
TLS connection plus a security-tls module which provides access to
verification of certs against DB entries, tls connection management
(tear down, etc), and this sort of stuff; this would be my choice.
    Provide the functinality, provide a nice FAQ and examples on
standard practices, but give the user the power to do whatever he
wants.

Regards,

Cesc