On 16 Jan 2014, at 19.17, Chris Cappuccio <ch...@nmedia.net> wrote: > OpenBSD has already began incorporating NaCl by bypassing OpenSSL entirely.
Good news - perhaps my philosophy is “why lay a lot of small bricks here and there when you can lay a cornerstone and be done with it?”. But perhaps I am not taking all things into consideration. > I can't speak for the architectural issues but I can't imagine that I or you > are the only people imagining better cipher suites in the base system. You are certainly right - that would be just naive. The OpenBSD approach to things is generally to make the interfaces as simple as possible, drop-dead simple. This eliminates configuration mistakes. Take OpenNTPD for example - it’s simply beautiful what has been done with the configuration interface. A systemwide autocipher engine device could easily be incorporated directly in to PF, no? block all cipher hmac-sha1 (for example). -mike
