[Osiris-devel]osiris version 2.0 goals and considerations

Brian Wotring brian at shmoo.com
Fri Mar 8 10:30:26 EST 2002 

On Thursday, March 7, 2002, at 09:56  PM, Aaron Racine wrote:

> # > - OpenSSL for all encryption and authentication methods.
> # >
> # > a lot of discussion will need to take place to make sure this is
> # > done correctly. What about OpenSSL support on platforms like
> # > windows.  Has entropy gathering become usable for this type of
> # > product on this platform yet?
> #
> # Entropy is overrated ;)  seriously, we should be able to leverage
> # other OSS projects that deal with making good sources of entropy to
> # kill this problem (if it's a real problem).
>
> Have you considered packaging stunnel [www.stunnel.org] with Osiris
> instead of re-implementing ssl functionality?  It seems to be meant
> for pretty much this exact situation, and it runs on *nix and Windows
> (comes with a couple dll's to install, which the author claims are
> from the default installation of openssl).

re-implementing?  Maybe I don't understand what you mean.  My 
understanding of stunnel is that it is basically just a wrapper and 
makes use of the OpenSSL libraries just as we could.  I don't see the 
advantage.  I would imagine that we would get to a point where we wanted 
to use a specific feature of libssl that the stunnel wrappers didn't 
address, in which case we'd be just using the libraries anyway.  So why 
even involve stunnel?  OpenSSL even compiles on Windows.  Also, we 
certainly don't want to install any shared libraries as that can be a 
messy process when dealing with multiple platforms.

Or am I just not understanding your concern?

 From what I remember, the biggest pain about OpenSSL is the lack of 
documentation but we know a handful of people who know a lot about the 
library or are actively involved with its development, so that shouldn't 
be a problem.

> # > - protocol suitcase for talking to various devices/hosts.
> # >
> # > routers are the main issue here. We talk to our own code
> # > otherwise.  What
> # > will be the functionality we want out of this, just grabbing
> # > the config?  More?
> # >
> # I'm all for generic protocol interfaces that are agnostic to the
> # underlying device... For those who shot the shit on FEMA, this
> # should sound familiar.  We need to put some thought into this.  At
> # this point, I don't know if it's feasible.
>
> I agree that generic interfaces would be ideal.  One comment on
> getting info from routers (or networking infrastructure in general) is
> that it seems like a different model than the main client-server
> design.  Unless you're talking about a Juniper router, you're not
> going to be running an osiris client on the network infrastructure.
> Would you have a special client that would be responsible for querying
> the infrastructure, or would the central host be responsible for that,
> or... ?

The central management host.

> Is there a way to get access to the development code (cvs/webcvs), or
> is it pretty much closed-devel w/ the list being to discuss devel
> ideas?

We're working on that.  Right now all that is available are the 
snapshots and the latest release via HTTP.  I would like to make the cvs 
repository available via cvsweb, more on that as it develops.

> Regards,
> Aaron
>
> P.S.  R.I.P. FEMA

Thanks, I think all the people involved with that project learned a lot 
despite it's decline in momentum.

--
   Brian Wotring ( brian at shmoo.com )
   PGP KeyID: 0x9674763D

More information about the osiris-devel mailing list