Ben Laurie wrote:
> I'd note that most of the work of supporting these things has to be
> done in OpenSSL, and unlike Apache, OpenSSL does not have a large
> funded development community.
>
> Expecting volunteers to rush to implement every cute TLS feature is
> asking a lot. The way to make this happen is to find money for OpenSSL
> development.
Ben:
I am very well aware that compared to the applications that use OpenSSL,
those working on OpenSSL find it next to impossible to obtain
contributions to support their efforts. Individuals and small
businesses are not going to write a check for OpenSSL (or an OpenSSL
contributor) to develop this code. That's not how people think.
Instead someone will write a check to Apache to implement support
for said feature because they want it in their web server. The Apache
folks will respond with (a) once OpenSSL gives it to us we will have
it so don't worry about it; and (b) it won't do you any good anyway
because the browsers, webdav clients, etc. don't implement it.
We are therefore left with a serious catch-22. The only way that we
can get functionality like this implemented is to first obtain agreement
from the client and server vendors. Only then might it become
reasonable to expect end users to step up with funding.
