[Twisted-Python] AutobahnPython 0.6.3 - WebSocket compression and more

Tobias Oberstein tobias.oberstein at tavendo.de
Mon Oct 7 01:51:42 MDT 2013


>>>So in practice, I _have_ to use a CA that is built into all major browsers.

>>You're assuming a lot here.  Perhaps TLS is broken for all the uses you're interested in - that doesn't mean it's broken for everyone else's uses.

@Jean-Paul: Granted .. good catch.

My interest is the Web/browser, and also non-browser clients working in a Web-compatible way.

>Tobias, all of the things you've said here about browser UI, enterprise networks, and key management tooling are true; however, note that none of those nouns are "TLS".

@Glyph:

I agree: "browser UI" is formally unrelated to TLS
I (mostly) agree: locked down enterprise networks are orthogonal to TLS - formally.

And the "key management" system being ortho to TLS: a very good point.

The problem is X.509, and TLS today uses only that, but it is capable of using different schemes in principle.

I did some further looking around: turns out there is TLS-PGP

http://tools.ietf.org/html/rfc6091

Does someone know whether OpenSSL supports that?

[Sidenote: if not, one more reason why a pure Python TLS implementation (then with RFC6091) would rock. The other reason being the total awesomeness of the OpenSSL codebase;) And the third: PyPy.]

> 1. Write some code that uses TLS (which is a wire protocol, after all, not a trust model or set of trust roots, nor a key management UI) and addresses these issues, by implementing a new trust model, protocol for exchanging trust roots, or key management UI, and selecting appropriate ciphers.
> 2. Write some code that uses a brand new wire protocol with unknown, unaudited security properties, also implementing appropriate ciphers, and also implementing all of the things in point 1.

>One of these options seems obviously superior to me :-).

Yeah;) 

1) => RFC6091

>>*This* is probably now sufficiently off-topic, though...

>Man, are there some kind of Topic Police everyone is worried about? Do I need to start taking extra precautions when I write to mailing lists? :-)

Got it. It's just that different communities have different social codes.
But it's good that Twisted has no "Topic Police".
I like that .. term and fact;)

>I think this is on-topic enough, since this might inform TLS work with Twisted in the future, and Vertex has been brought under the Twisted umbrella recently, https://github.com/twisted/vertex and it seeks to provide a different trust model with TLS and Twisted.

Is there any intro / architecture document? I'd like to read more .. 

/Tobias



More information about the Twisted-Python mailing list