Subject: Re: reviewing code
From: "Forrest J. Cavalier III" <mibsoft@mibsoftware.com>
Date: Wed, 28 Aug 2002 22:13:58 -0400 (EDT)


> Who has (literally) signed off on the SSL libraries after careful
> review?  I'm willing to take the risk that, if a few good people write
> up a good review, that those libraries are fine.  Not that there's a
> final state at which I would just assume, forever and ever, that those
> libraries are fine -- just that I'd be happy to buy into a decent
> process.
> 

Actually that is the problem I see with the 'arch' concept.
Sharing code is great and arch promotes innovation.  But
people pay for tools and software they trust.

------------------------------------------------------------

To answer your direct question, I did look carefully at SSLeay
(before it became OpenSSL) and it looked pretty "well-done"
to me.

Since then there have been certificate verification
problems reported, so I guess my review was not as complete
as it should have been.

As for OpenSSL, well.... last time I checked the tarballs
were signed by a personal GPG/PGP key which was only self-signed
(or signed by one of the others in the group.)    !!

A quick email received no reply, and because of that I
started looking hard at the predecessor SSLeay libraries
instead.

RSA has (had?) SSL libraries.  (It is possible to write
C macros so that code can use either RSA or SSLeay or OpenSSL
at compile time.)