Jack Moffitt <j...@metajack.im> wrote: > Since we currently use OpenSSL via hyper, this means the trait would > be used there. I assume we'll also need a trait for the pki parts (and > those are in Servo I think). > > With that boundary we could replace OpenSSL with NSS and then add > others as they come online. The main complication of multiple options > is QA. If we don't run them through CI they are likely to bitrot > quickly. >
This is unlikely to work well. It is based on an assumption that it makes sense for all crypto libraries to work the same way and provide a similar API. I expect, in particular, that Rust crypto libraries are going to be able to take advantage of Rust's strengths to offer fearless concurrency in a way that legacy crypto libraries would struggle to keep up with. Plus, abstracting everything over traits requires all users of the crypto code to be abstracted over those traits and/or use Trait objects, which would force them into sub-optimal memory management decisions. > One reason I would like to see the NSS bindings is that other projects > in the Rust ecosystem may need more confidence in the crypto bits or > functionality not yet implemented. Not every project in Rust is as > pre-production as Servo. NSS bindings are also likely to be better > maintained than the existing OpenSSL stuff with support from upstream. Outside of the NSS team, who has more confidence in NSS than *ring* + webpki + Rustls, BoringSSL, or OpenSSL? And, what is the reasoning? Comparing NSS and other things is a difficult topic to talk about because I am a former NSS team member and I don't want anybody to misinterpret anything I say as disrespect for Wan-Teh Chang, Bob Relyea, and the people that comprised the NSS team prior to me leaving it in 2014. However, If you do a **technical** comparison of NSS to other options, I don't think NSS would compare favorably. As far as political support for NSS is concerned, I agree with what Patrick said, based on having recently talked to the tech leads of crypto/TLS teams of many organizations. Cheers, Brian -- https://briansmith.org/ _______________________________________________ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
