|
Posted by Mike on November 24, 2006, 7:41 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hello,
I have been implementing a C++ class library for several years that I
plan to publish as open source. It currently implements a lot of core
objects such as strings, lists, maps, sockets, etc. but has a fair
amount of security-based objects as well: RSA, DSA, and Diffie-Hellman,
X.509v3 certificates and certificate revocation lists (CRL's),
transport layer security (SSL/TLS), and SMTP, POP3, and FTP clients all
capable of negotiating TLS.
My question is: if I were to make this library public today, what would
you consider to be missing? I am kind of at a loss for what to work on
next.
Thanks for any suggestions,
Mike
|
|
Posted by Sebastian Gottschalk on November 25, 2006, 5:56 am
If you were Registered and logged in, you could reply and use other advanced thread options
Mike wrote:
> Hello,
>
> I have been implementing a C++ class library for several years that I
> plan to publish as open source. It currently implements a lot of core
> objects such as strings, lists, maps, sockets, etc. but has a fair
> amount of security-based objects as well: RSA, DSA, and Diffie-Hellman,
> X.509v3 certificates and certificate revocation lists (CRL's),
> transport layer security (SSL/TLS), and SMTP, POP3, and FTP clients all
> capable of negotiating TLS.
>
> My question is: if I were to make this library public today, what would
> you consider to be missing? I am kind of at a loss for what to work on
> next.
Well, no-one would use it. Basic data structures like strings, lists and
maps are already covered by the C++ STL and probably well-extended by the
Boost Library.
Sockets are nothing special. In-Depth networking is already covered by
Libpcap.
For cryptographic stuff, we already have LibCrypt, Crypto++, LibTomCrypt,
OpenSSL and LibGCrypt. For TSL we've got OpenSSL and GnuTLS. Various
application procotols are covered by either being trivial or covered by
many libraries.
There has been much more engineering effort put into these by many more
people than yours will ever have.
So, if your library doesn't have any special benefit (f.e. having received
a special certification like ISO 9006, Common Criteria or FIPS 140-2,
extreme compliance to some coding standard, highly portable and still
plattform-optimized implementation), you won't receive much attention.
|
|
Posted by Mike on November 25, 2006, 10:34 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Mike wrote:
>
> > I have been implementing a C++ class library for several years that I
> > plan to publish as open source. It currently implements a lot of core
> > objects such as strings, lists, maps, sockets, etc. but has a fair
> > amount of security-based objects as well: RSA, DSA, and Diffie-Hellman,
> > X.509v3 certificates and certificate revocation lists (CRL's),
> > transport layer security (SSL/TLS), and SMTP, POP3, and FTP clients all
> > capable of negotiating TLS.
> >
> > My question is: if I were to make this library public today, what would
> > you consider to be missing? I am kind of at a loss for what to work on
> > next.
>
> Well, no-one would use it. Basic data structures like strings, lists and
> maps are already covered by the C++ STL and probably well-extended by the
> Boost Library.
The big advantage of using my library is that the interfaces are very
clean and easy to use. I also have added lots of functionality to,
say, my string class that you won't find in STL string. Unicode 5.0
support including normalization (all 4 forms), upper/lower case
conversions, and collation to name a few.
In fact, since it's impossible to come up with the representation of a
string to suit everyone, my string is templatized on that. I have
created stack based strings that don't allocate any memory,
non-reference-counted heap based strings, reference-counted strings
that are safe for use in multi-threaded programs, and faster
reference-counted strings that can be used
in a single-threaded program. If you don't like any of those, then you
can create you own, and the whole library will work with your custom
string representation.
> Sockets are nothing special. In-Depth networking is already covered by
> Libpcap.
Again my Socket interface is very easy to use. In fact if you decide
to add TLS support to a program, you only need a couple extra lines of
code. The rest of the program doesn't change. With OpenSSL or gnutls,
that is not the case.
> For cryptographic stuff, we already have LibCrypt, Crypto++, LibTomCrypt,
> OpenSSL and LibGCrypt. For TSL we've got OpenSSL and GnuTLS. Various
> application procotols are covered by either being trivial or covered by
> many libraries.
Well honestly, I use OpenSSL's libcrypto for all the encryption and
public key algorithms. I just put a pretty face on them that again is
much easier to use. I implemented all SSL/TLS code myself though, and
it supports version 1.1 (OpenSSL currently only supports TLS 1.0), and
even supports the current draft of TLS 1.2.
> There has been much more engineering effort put into these by many more
> people than yours will ever have.
I'm not conceited, but you underestimate me. I've been writing C++
code since 1993 and am quite fast -- it took less than 10 weeks to
fully implement SSL3/TLS 1.0, 1.1, and 1.2, complete with session
caching and resumption, session renegotiation, client authentication,
and some TLS extensions.
> So, if your library doesn't have any special benefit (f.e. having received
> a special certification like ISO 9006, Common Criteria or FIPS 140-2,
> extreme compliance to some coding standard, highly portable and still
> plattform-optimized implementation), you won't receive much attention.
Thanks for providing something constructive. I will look into what it
would take to get certified. As for portability, I have computers
running Windows XP, Suse Linux (64-bit), and Mac OS/X. Programs using
my toolkit compile and run unmodified on each. There is no reason the
code wouldn't readily port to any other version of UNIX.
I would bet that even you would use my library, and you would hope your
competitors don't.
Mike
|
|
Posted by Sebastian Gottschalk on November 26, 2006, 6:20 am
If you were Registered and logged in, you could reply and use other advanced thread options
>> Well, no-one would use it. Basic data structures like strings, lists and
>> maps are already covered by the C++ STL and probably well-extended by the
>> Boost Library.
>
> The big advantage of using my library is that the interfaces are very
> clean and easy to use.
No, that's the description of C++ STL.
> I also have added lots of functionality to,
> say, my string class that you won't find in STL string. Unicode 5.0
> support including normalization (all 4 forms), upper/lower case
> conversions, and collation to name a few.
Well, this doesn't belong in there - this belongs to a separate utility
collection class for string manipulation.
> In fact, since it's impossible to come up with the representation of a
> string to suit everyone, my string is templatized on that. I have
> created stack based strings that don't allocate any memory,
> non-reference-counted heap based strings, reference-counted strings
> that are safe for use in multi-threaded programs, and faster
> reference-counted strings that can be used
> in a single-threaded program.
And again, you mixed stuff together with no need. Reference counting is
exactly what LibBoost adds, and stack-based strings are, well, strange.
>> Sockets are nothing special. In-Depth networking is already covered by
>> Libpcap.
>
> Again my Socket interface is very easy to use. In fact if you decide
> to add TLS support to a program, you only need a couple extra lines of
> code. The rest of the program doesn't change. With OpenSSL or gnutls,
> that is not the case.
IBTD, this is exactly what OpenSSL and GnuTLS do.
>> There has been much more engineering effort put into these by many more
>> people than yours will ever have.
>
> I'm not conceited, but you underestimate me. I've been writing C++
> code since 1993 and am quite fast -- it took less than 10 weeks to
> fully implement SSL3/TLS 1.0, 1.1, and 1.2, complete with session
> caching and resumption, session renegotiation, client authentication,
> and some TLS extensions.
OK, and what about unit testing, bug testing, real-world testing?
|
|
Posted by Mark Trimble on November 25, 2006, 9:41 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Hello,
>
> I have been implementing a C++ class library for several years that I
> plan to publish as open source. It currently implements a lot of core
> objects such as strings, lists, maps, sockets, etc. but has a fair
> amount of security-based objects as well: RSA, DSA, and Diffie-Hellman,
> X.509v3 certificates and certificate revocation lists (CRL's),
> transport layer security (SSL/TLS), and SMTP, POP3, and FTP clients all
> capable of negotiating TLS.
>
> My question is: if I were to make this library public today, what would
> you consider to be missing? I am kind of at a loss for what to work on
> next.
>
> Thanks for any suggestions,
>
> Mike
Victorinox' trademark. <ha ha, only serious>
In more level-headed terms, from an engineering standpoint, I would
recommend you split this little library into two or more segments, one for
your user interface object, as strings; one for internals, as maps and
sockets, and one or more others for security/networking. That way, each
segment can be focused on a discrete number of challenges, and answer them
more effectively than if everything were in one big class.
|
| Similar Threads | Posted | | 24/7 Computer Technical Support | April 5, 2006, 3:29 pm |
| 24/7 Computer Technical Support | April 5, 2006, 1:40 pm |
| Validy Technology: A program protection method that really works. | August 3, 2005, 6:09 am |
| Rescuing a School Technology Program: Linux Thin-C | September 24, 2005, 8:04 pm |
| New Scientist Tech - Technology - Pentagon sets its sights on social networking websites | June 9, 2006, 8:50 pm |
| Security Breaches Pandemic - Deloitte Touche 2006 Global Security Survey | June 26, 2006, 11:15 pm |
| New site dedicated to security conferences : www.security-briefings.com | May 6, 2006, 11:04 am |
| AOL Offers Security Tool - Active Security Monitor | June 10, 2006, 1:20 am |
| Re: Internet Security Software.(computer internet security) | April 27, 2008, 7:43 am |
| Security can be fun ! | June 28, 2005, 4:09 pm |
|
XML site map