> -----Original Message----- > From: Ian Grigg [mailto:[EMAIL PROTECTED] > Sent: Monday, October 06, 2003 10:35 PM > To: Jill Ramonsky > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: Simple SSL/TLS - Some Questions > > The only question I wasn't quite sure of > was whether, if I take your code, and modify it, > can I distribute a binary only version, and keep > the source changes proprietary?
You can't distribute a binary only version of ANY crypto product, surely? No crypto product can EVER be trustworthy unless you can see the source code and verify that it has no back doors, and then compile it. Unless you give your users the power to inspect the source code, and /know/ that it is the source code (because they can actually compile it and run the resulting executable) then you could have put all sorts of back doors into it. You could have added password theft, key escrow, who knows what?
Don't get me wrong. I agree with you that crypto has enough barriers already, and I would like to produce something that is as freely distributable as possible. "For the masses" crypto is, I guess, an unwritten design goal. But allowing people to hide the crypto source from crypto users would allow the bad guys (you can define your own bad guys) to produce Trojan Horse crypto. Closed source crypto is to all intents worthless. (In my opinion). Please feel free to argue that I'm wrong.
> My own philosophy has always been that crypto has > enough barriers on it already, so it should not > add any more personality quirks than necessary, > hence preference for BSD two clause. Mind you, > such a statement is a personality quirk, so you > be your own judge.
Eek. Was my paragraph above a personality quirk? I thought it was a sound cryptographic principle.
> Names are really hard. I'd defer that one until > it pops out.
I agree. But ruling them out is easy. We've already ruled out EasyTLS, GnuTLS and Pretty Good TLS. That's narrowing things down. Top of the list currently is TLS++, but that kindof implies it won't work with C. (This will actually be true for the prototype, but not, I hope, true indefinitely). I think I'll stick with that for now until a better one comes up.
> Q: Does your employer have any say or comment > on this project? Might be wise to clear up the > posture, and either get it in writing, or make > the repository public from the git-go. Many an > open source project has foundered when the boss > discovered that it works...
It has absolutely nothing whatsoever to do with my employer. All my code will be written at home in my spare time, and uploaded to CVS or whatever also from home. It is true that I happen to be sending this email from work, but even that's in my own time. I don't see how they have any say. To be /really/ safe, I'd be happy to always post to this list only from home, but right now I don't think it's a problem.
How do I go about changing the email address with which I'm a member of this list?
Jill
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
