[Help-gnutls] Re: GnuTLS vs OpenSSL vs NSS

[Simon Josefsson]

Daniel Kahn Gillmor <dkg-debian.org at fifthhorseman.net> writes:

> On Thu 2007-05-03 12:04:44 -0400, Simon Josefsson wrote:
>
>> devel <dev001 at pas-world.com> writes:
>
>>> Support to hardware accelerator and other devices.
>>
>> Adding it would be good.
>
> I also think this would be worth including.  openSSL's "engine"
> architecture and NSS's "security modules" provide some food for
> thought.  I don't know GnuTLS well enough to know if there's a
> comparable API for either of these, so i'd very much like to see them
> compared by someone knowledgable.

Right, I think we should mention this.  There is no equivalent feature
in GnuTLS yet, but I'm working on PKCS#11 support to address one aspect
of this (client smart card authentication) and made the first release a
few days ago.

> As nice as those frameworks are for encouraging hardware crypto
> (smartcard support, etc), i think they also provide yet another place
> for security concerns to pop up.  So they're a mixed bag.

Yup.

> You might also want to clarify that this table is comparing *free* TLS
> implementations, or else add some non-free implementations to the
> list.

Oh, right.  I made this clear at the top of the page now.

Btw, I'd like to add other free TLS libraries to the list.  That's why I
made the implementations have one row each in the tables, rather than
having the implementations be one column each.  This allows the list of
implementations to be added easily, without clobbering the page too
much.

> Lastly, i'd be very excited if the headers of the various columns
> could be links to the specifications of the features to which they
> refer.  That could make this page an all-around reference point for
> TLS functionality and specifications, which would be great.

Good idea.

> Thanks for writing this up, Simon.  It's great.

Thanks for the support.  I hope people more familiar with OpenSSL and
NSS will provide the appropriate feedback.

/Simon