Ok... you're right... so this begs two questions then:
1) Is there a standard? Is SSL 3 a standard or a specification open to
variation?
2) Assuming we are talking about something relatively low level... a
protocol as a unit like Blowfish or Idea. Is that not an atomically define
item such that there can't be significant variation?
We can chose to implement "Blowfish" in thousands of different ways... with
different languages and compilers and so on... but is there a reason to do
so?
Was there a problem with using the openssl libraries?
Were they deemed not stable enough (in terms of interface or
implementation)?
Was it a decision to reduce reliance on foreign code (out of developers
immediate control)?
I'm not arguing the choice - just trying to understand it...
For example...
I worked on a project recently to do with file archiving and transport...
I could have written my own implementation of a transport protocol, and my
own zip based on freely available documentation...
But I used another in existence... it was less expensive in terms of time
(which no matter how you slice it translates into $)
Maybe that was the reason? SSH wanted to go commercial and a restriction in
the open SSL license would have prevented or interfered??
I'll admit this is an academic discussion, but I'm just hoping to improve my
own decision making in these matters by understanding that of others...
thanks again.
--
--------------------------------------------
Mitch Cant <[EMAIL PROTECTED]>
DDP Consulting Group, Vancouver BC Canada
Phone: 604-294-9193 Fax: 604-294-9155
Web Page: http://www.ddp.ca/
--------------------------------------------
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Thierry Michalowski
Sent: Tuesday, May 18, 1999 09:35
To: Mitch Cant; [EMAIL PROTECTED]
Subject: Re: A question about encryption algorithms.... (fwd)
I just should point you to this remark: the difference between a
specification,
whatever sort it is (RFC, what you call "standard"...) and an implementation
is
all the point. Look at the "specification" of other protocols, namely IMAP,
LDAP and so on...
You cannot rely on a specification to trust all the different
implementations
everywhere, just because all developers are _different_ .
Hope this helps
Thierry Michalowski
