FSDN: usr local bin FSM SweetCode OFSET
[GNU-Friends] Sections: Front Page News Interviews GNU-Friends Diaries
Menu: About Submit Story FAQ Donate Search
This page brought to you by: Jonas berg, just another GNU friend.
Interview with GNU TLS developer Nikos Mavroyanopoulos
By brian, Section Interviews
Posted on Thu Dec 18th, 2003 at 14:24:20 GMT
Nikos Mavroyanopoulos is one of the main developers of the GNU TLS transport layer security library, which reached its major 1.0 release this month. In this interview he talks about the history of the project, security in general and why he is a supporter of the free software philosophy.


For those who aren't familiar with GNU TLS, can you give an brief description of what it does and its role in the GNU Project?

Nikos Mavroyanopoulos: GNUTLS is a library implementation of the SSL 3.0 and TLS 1.0 protocols. Its purpose is to provide applications an authentication and encryption layer over an existing transport layer such as TCP/IP. The authentication part includes implementation of the X.509 certificate authentication framework, the OpenPGP framework as well as password authentication with SRP.

Many people will have heard of "SSL", from its use in the web. What is the difference between "SSL" and "TLS"?

Sometime ago there was no standard in the security protocols of the internet. SSL 2.0 was the first and de facto standard used by the Netscape browsers and servers, but there was also Microsoft's PCT 1.0. The IETF then formed the Transport Layer Security working group whose purpose was to create a single protocol for the internet. The TLS working group's first protocol was called TLS 1.0, and was based on the last protocol issued by Netscape, SSL 3.0. In brief they are almost the same thing, with TLS 1.0 being an updated version of SSL 3.0.

There are some as existing implementations of SSL, such as SSLeay or OpenSSL. What are the differences between GNU TLS and these packages?

OpenSSL and SSLeay can be seen as the same thing, since OpenSSL is the continuation of the SSLeay library. They are both very good SSL and TLS toolkits, and have a long history behind them. Their license however contains an advertising clause which is incompatible with the GNU GPL. This was the reason that made the GNU project seek for an alternative TLS implementation. Other than that, the purpose of OpenSSL and GnuTLS is the same, that is to provide applications a security framework.

Can you tell us a little about the history of the GNU TLS project and the people involved?

Sometime after I've volunteered to work for the FSF I've been contacted by Werner Koch (the gnupg author), who asked whether I could create an SSL implementation for the GNU project. It seemed quite a huge project for me then, but I agreed anyway. Together with Tarun Upadhyay we started gnutls in February 2000.

In about a year later a first prerelease was available. At that time the project had almost reached a dead end since Tarun had quit, and the certificate part which was required for a proper release was inexistent. In order to start coding the certificate part, I desperately needed an ASN.1 DER parser which was not available at that time.

That was the time that Fabio Fiorina offered to help, and about in May 2001 he contributed an excellent ASN.1 library (now called libtasn1). That library offered a boost in gnutls' development and within the summer we had some alpha releases of gnutls called 0.2.x with X.509 certificate support. We had hopefully escaped the dead-end.

An idea to use OpenPGP keys in TLS instead of X.509 certificates, was carried out by Timo Schulz who offered to help, in February 2002. Thanks to his fine opencdk library and his help now gnutls has support for OpenPGP keys, as an alternative to X.509 certificates.

In July 2002 Andrew McDonald contributed an OpenSSL compatible interface which is included in gnutls since then.

We finally released gnutls 1.0.0, the first version to be considered as stable, in December 2003.

Are there any GNU programs which don't use TLS currently, that you would like see converted to use it?

Well gnutls was mostly tested in server applications, so I'm now more interested into seeing more feedback from client applications.

If somebody wants to use GNU TLS in an existing networked application communicating over standard unix sockets is it complicated to do that?

I tried to make the porting of existing network applications as painless as possible. The TLS part was built with the Berkeley sockets as a model, so network programmers find it familiar. Of course someone shouldn't expect the API to be exactly like the Berkeley functions, since gnutls offers features, that do not exist in TCP/IP. A basic knowledge of public key infrastructure is also needed in order to understand why some steps are needed.

I have a lot of passwords for different websites and mailing lists. How difficult would it be to use TLS to eliminate the need for the usernames/passwords on websites, by identifying users by a certificate instead of a password? Is this something that could easily be added into programs such as Mailman?

Yes, web-based programs could benefit heavily from the certificate authentication provided by the TLS layer. A user can be fully identified by a certificate permanently stored in his browser. But such an infrastructure is not easy to deploy, since it requires a centralized certification authority. That authority would need resources for the purpose of user's certificate issuing, updating, revoking etc.

An alternative decentralized solution could be the usage of openpgp keys, for TLS authentication. That way a user could be authenticated by sending his existing openpgp key. This kind of authentication is currently implemented only in gnutls but I hope that other TLS implementations would follow.

Do you have any plans to offer commercial support for GNU TLS?

Currently I have no such plans.

What is your background as a developer? How did you become active in GNU TLS and free software?

I've started coding when I learned C++ and C, back in 1996, in high school, after I got my first GNU/Linux distribution. I wanted to fix and change things in the programs I used, so I bought some books on programming. I was quite impressed by my distribution (it was a slackware), because the source code of the programs I used, existed so I could change things the way I liked!

While in the university I've read about cryptography, and as a result I've created the cryptographic libraries mcrypt and mhash. GnuTLS came some years later. The first testbed of gnutls was hydra, an http server, which I've created. During these years I've also worked for a proprietary software company in Greece.

Is there any story behind how you became a supporter of the free software philosophy?

More or less it's the same story that made me be engaged in programming. Having software to study, and compiler tools available in the operating system I used, was an idea I liked, so I became a supporter of the free software philosophy.

Security is a big issue today. From your experience of working on GNU TLS do you have any thoughts you'd like to share with other developers?

Well, the fact is that it takes a lot of time to create software to be called secure, and despite that you can never be certain of providing the advertised security. Unfortunately there is no such proof of security, so you can only rely on the process that creates the software, and to a process of auditing.

Do you have any ideas on how we can move to a more secure infrastructure, both for free software development and for general users of the internet?

Those are really difficult problems to deal with in the internet, since it is a very large network, and changes in the basic infrastructure usually take years to be accomplished. Authentication and especially a decentralized one, such as the OpenPGP's web of trust may help controlling the number of messages originating from unknown sources. However I'm not quite involved in the Internet Mail working groups, and do not know whether authentication has practical problems.

Software development as a process has little to gain by using cryptographic protocols. The most important advantage, is for the user's of software, since the introduction of cryptographic protocols ensures privacy. This is too important for applications running in networks like the internet, which was not designed to offer privacy.

One problem I've found with signed packages is that it's difficult to get a web of trust which connects everyone, even though the free software community is relatively small, so I usually have no way of verifying a signature. Is it possible to use the tools in GNU TLS for "code-signing" with certificates issued by a Certificate Authority?

Gnutls' tools do not offer this capability but as far as I know the new generation of gnupg will be providing such features. However, the problems you described will not be solved just by changing to X.509 infrastructure.

Developers who sign releases with openpgp keys that are not signed by any other people, would probably use an X.509 certificate that is self-signed. The correct use of the given infrastructure is on the developer, and not in the infrastructure itself. Both protocols could be misused. In the web of trust case it might be better to notify such developers that their key could not be trusted.

Also the X.509 infrastructure has the drawback that requires a centralized authentication systems which do not fit to the decentralized development model that free software projects use.

If somebody wants to learn more about GNU TLS are there any books or tutorials that you would recommend?

Currently there is only the gnutls manual which is included in the distribution but also available online at GNU.org. I've tried to make it a good manual, but it still needs work.

Thanks for taking the time for this interview and for your work on free software!

Thank you too.

< Upcoming FSF events in New York (January 2004) (1 comments) | GNOME Foundation Election results (2 comments) >
Make a new account

View: Display: Sort:
Interview with GNU TLS developer Nikos Mavroyanopoulos | 8 comments (8 topical, editorial) | Post A Comment
[new] can it completely replace ssh, scp, sftp....? (#1)
by a member of the hurd (#-1) on Fri Dec 19th, 2003 at 13:45:59 GMT

Hello. Congratulations for you work in GNU projects. It is always amazing to see good quality products developed under a free license (I'm not sure I'm expressing my thoughts well in English; I mean: I love free software and GNU).

I'm use often the OpenSSL tools ssh, sftp and scp. Few days ago I heard about a GNU version of rsh (lsh), I'm trying it; its interface is quite different from SSL tools, so I'm still using ssh and friends.

Are there tools in the GNUTLS project able to replace ssh/scp/sftp?

Many thanks.


[ Reply to This ]

[new] I read a lot more than I post. this is great ... (#6)
by a member of the hurd (#-1) on Mon Mar 7th, 2005 at 03:48:24 GMT

fashion Mortage| asbestos lawyer| free software downloads| software downloads| free music download software| download free dvd burning software| mp3 download software| mortgage refinancing| home improvement loan| debt management| nokia cellular phone| johnny cash| eliminate credit card debt| portable mp3 players| home loan| Enterprise Software | loan| mp3 | mesothelioma lawyer| Mesothelioma Attorney| Car Accident Lawyer| Investment Fraud | Wisconsin Mortgage| Conference Calling| domain name registration| domain registration| cheap web hosting| web site hosting| data recovery| debt consolidation| real estate| home equity loan| online gambling | health insurance Free Software Download loan mesothelioma lawyer Mesothelioma Attorney Car Accident Lawyer Investment Fraud Wisconsin Mortgage Conference Calling health insurance free ebooks domain name registration domain registration cheap web hosting web site hosting data recovery debt consolidation real estate home equity loan online gambling loan Enterprise Software fashion lawyer travel host Casino data recovery Conference Calling Software erp, crm, scm java car domain name registration real estate insurance poker blackjack online gambling credit card mp3 loan 数码产品 数码相机 电脑游戏 网络游戏 BT软件下载 杀毒软件 时尚服饰 天气预报 证券 房地产 文学作品 小说频道 光学 电力 机械及工业制品 电子电工 化工 礼品、工艺品、饰品 家居用品 建筑、建材 服装、鞋帽 纺织、皮革 电脑、软件 环保 办公、文教 商务服务 食品、饮料 包装 农业 医药、保养 冶金矿产 汽摩及配件 运动、休闲 家用电器 通讯产品 安全、防护 印刷 能源 玩具 加工 二手设备转让 交通运输 代理 库存积压 项目合作 纸业 仪器、仪表 传媒 网络电视 手机铃声 化工 礼品 旅游 打折机票 出国 路由器 牛皮纸 PHP空间 手套 玩具 蓄电池 点钞机 培训 美容 购物袋 手机 硒鼓 出国 跑步机 网络机柜 ASP空间 化工原料 装订机 起重机 手机充电器 IC卡 UPS电源@ soudown 免费电影 Free Software Download loan 美女图片 动漫卡通 电影网站 网络电视 热门电影 影视 免费电影 除湿机 除湿 干燥设备 干燥机 减速机 条码 货架 租房 订房 二手房 鲜花 打折机票 机票 国际机票 特价机票 飞机票 移民 留学 爱尔兰留学 韩国留学 马耳他留学 马来西亚留学 加拿大留学 瑞士留学 日本留学 新加坡留学 新西兰留学 英国留学 澳大利亚留学 澳洲留学 虚拟主机 数据恢复 数据修复 化妆品 香水 域名注册 数码相机 数码摄像机 手机 sony数码相机 佳能数码相机 尼康数码相机 奥林巴斯数码相机 数码照相机 数码产品 光端机 打印机 扫描仪 成人用品 性用品 情趣用品 办公用品 体育用品 笔记本电脑 条码打印机 人力资源 商务考察 IT培训 管理培训 计算机培训 英语培训 翻译 翻译公司 英语翻译 旅游 张家界 张家界旅游 海南 海南旅游 九寨沟 九寨沟旅游 三峡 三峡旅游 三亚 三亚旅游 传感器 充电器 商标 注册公司 门禁 门禁系统 门禁控制 手机铃声 电影 小说 免费电影 免费电影 MP3下载 宽带电影 网络电视 网络电视 mp3 美女 游戏下载 明星 电影网站 热门电影 影视 lawyer travel host Casino data recovery Conference Calling Software erp, crm, scm java car domain name registration real estate insurance poker blackjack online gambling credit card mp3 loan MP3下载,免费电影下载 MP3下载 MP3下载 免费电影 免费电影 软件下载 游戏下载 MTV下载 网络电视 Flash下载 电子书下载 link link 免费电影 mp3 热门MTV movie 电子书下载 免费电影 mtv 下载 mp3下载 hotkey hotindex hotindex mp3 人气歌手 影视明星 魅力女星 魅力男星 动漫卡通 热门词 热门电影 热门游戏 魅力女星 热门软件 热门金曲 影视金曲 欧美经典 难忘老歌 摇滚地带 热门Flash 热门金曲 IT产品 汽车品牌 难忘老歌 免费电影 免费电影 MP3下载 宽带电影 GOOGLE排名 网络电视 mp3 美女 游戏下载 loan 手机铃声

[ Reply to This ]

[new] dd (#7)
by a member of the hurd (#-1) on Thu Mar 17th, 2005 at 18:01:09 GMT

żҽ żҽ żҽ żҽ żҽ żҽ ˹ų żҽ żҽ żҽ żҽ ˹ų żҽ

[ Reply to This ]

[new] good (#8)
by keleyu (#731) on Mon Mar 21st, 2005 at 08:52:33 GMT
(User Info)

ԸŮŮдģӰŮ߹ֽձŮݷװʦ̳ǶӰӰӰԺߵӰߵӰԺߵƵӰԺӰշѵӰӰصӰƵ㲥յ̨ƬƬʷƬƬϲƬƬͨƬƻƬƬֲƬԱӰӰְ˹ƬӰѧͥӰԺѵӰߵӰbtӰѵӰصӰСӰӰmp3midireal audiovqfmtvŵصokҡаƷֶϹŵֺϳŵŸּ־ʿҥ־йĹ˾hifi쳪Ƭ˾djֽֽݳиϷϷϷɫݼʱսԷģģ⾭ӪϷϷϷϷģؼϷ޸ϷϷϷϷָps2ֻϷjavaϷϷflashϷromϷϷӳϷϷϷ˾ϷٷվЦĬĬͼƬЦͼƬȤζϷԱЦħʵ˳ԽתЦȫЦĬѧЦĬЦĬȤЦĬִЦЦȤζ̲ȤζЪƿŴЦͯЦЦУ԰ЦƤЦЦЦռռǸÿ˳Ԥ΢ФˮǩֽƳƹѪȡԤŶݼس÷ħˮ̲̲Ի֮ԻзλФ̫ʱʱгѡӼħϷֽʻӰ滭дҹָϷʱ־ļݰĦȥüױշƽ˶ֲˮѬױƷԺװʱŮװʱװɫзƷӾװȻȤԸƤţппѿӡװװƷtУްĻΧȹñ칺Ьοħ³ȹȹ鱦ʯ鲬ʯ׹ʯָػˮʯֱƽͷϾʯװֳֳɼٴȪȼϷԺԺӰԺưݶ԰껪ݲչݿȹоֲҵĹʳѩҹܻձϴԡҡʹ˾ƱƱƱƱͶעָʸϲʲƱԤ⿪¼ѡżˮƱ򲩲Ͷע齱˶DZˮͧˮ˷Ӿˮ԰̨ڸ߶İĦԡ׵ɽһ˶齫йĹֽΧ̫ȭ¶ӪԶҰ٤赸ļҰս˶ݰղƷƱ黭ǮҹŶչʯմ̶ͭƬľͻ滭԰ճOʵӺؿģ̻Ʊ֤ƱſӰӰӰӰӰӰӰӰƷӰ̳ӰӰɴӰд羰ӰڰӰӰʷƬˮӰӰ˾3dӰӰӰȫӰӰdvӰӰͼƾͷǼӰӰӰʦӫģңߵ綯åйţСµ߶ż޹лҳҳҳزҵҳЧվ߻վάվƹҵվϢйܼϷŻվַ簲ȫעעڿ©Ϣ绰wap漣̳ftpϷعƱβϵͳݿݲֿ۹칫ԶƷѹƱԴʵ人Ȥζýͼδ̶ŹϢϵͳϢϵͳǶʽƽ̨뷨ҵѰoicqŰֽ칫ԴֻıֽӺؿ׬ǮͼƬߴ洢ӲϴҳͳƷ潻ʼбcgiűԱ̬ӰflashСϷIT֤ѵmcse֤γ˼֤oracle֤unix֤linux֤ݿ֤webӦÿѵļѵԱ֤it֤ýάmp3·ýάflashƽ涯ƵѹƵͷvodϵͳͼӲӲӲdiyʼDZ̨ʽڴʾӲ̹ʾӡƬά ͨѶֻϷ˽ֻϢadslԶ̽ѧϵͳɽ ArtsActors and ActressesAwardsCharactersChats and ForumsContestsCultures and GroupsDVDDatabasesDictionariesDirectoriesDirectorsEducationFilm ArchivesFilm FestivalsFilm SchoolsFilmmakingGenresGuidesHistoryHome VideoLarge FormatMemorabiliaMultimediaMuseumsMusicNews and MediaOrganizationsPersonal PagesPreviewsQuotationsRelease SchedulesReviewsScreenwritingScriptsSeriesShoppingShowtimesSoundtracksStudiosTheatersTheory and CriticismTitlesTriviaForumsGroupsBusinessAccountingAerospace and DefenseAgriculture and ForestryArts and EntertainmentAssociationsAutomotiveBiotechnology and PharmaceuticalsBusiness LawBusiness ServicesBusiness TravelBusiness and SocietyChemicalsClassifiedsConstruction and MaintenanceConsumer Goods and ServicesCooperativesCustomer ServiceDirectoriesE-CommerceEducation and TrainingElectronics and ElectricalEmploymentEnergy and EnvironmentFinancial ServicesFood and Related ProductsHealthcareHistoryHospitalityHuman ResourcesIndustrial Goods and ServicesInformation TechnologyInternational Business and TradeInvestingLaborMajor CompaniesMarketing and AdvertisingMining and DrillingOpportunitiesPublishing and PrintingReal EstateRegionalResourcesRetail TradeSmall BusinessSoftwareTelecommunicationsTextiles and NonwovensTransportation and LogisticsWholesale TradeTrainingElectricalEnvironmentManagementDrillingComputersAlgorithmsArtificial IntelligenceArtificial LifeBulletin Board SystemsCAD and CAMCompaniesComputer ScienceConsultantsData CommunicationsData FormatsDesktop PublishingDirectoriesE-BooksEducationEmploymentEmulatorsEthicsFontsGamesGraphicsHackingHardwareHistoryHome AutomationHuman-Computer InteractionInternetIntranetMISMailing ListsMobile ComputingMultimediaNewsgroupsOpen SourceOperating SystemsOrganizationsParallel ComputingPerformance and CapacityProduct SupportProgrammingPublicationsRoboticsSecurityShoppingSoftwareSpeech TechnologySupercomputingSystemsUsenetVirtual RealityGamesBoard GamesCard GamesCoin-OpCollectingComputer GamesConsole GamesConsumer InformationConventionsDevelopers and PublishersDiceFantasy SportsFortune TellingGamblingGame DesignGame StudiesHand GamesHand-Eye CoordinationInternetMUDsMiniaturesPaper and PencilParty GamesPlay GroupsPlay-By-MailPuzzlesResourcesRoleplayingShoppingTile GamesTrading CardsVideo GamesWeb HostingWomen in GamingWordplayYard Deck and Table GamesGamesHealthAddictionsAgingAlternativeAnimalBeautyChild HealthConditions and DiseasesDentistryDisabilitiesEducationEmploymentEnvironmental HealthFitnessHealth InsuranceHealthcare IndustryHistoryHome HealthMedicineMen's Health Mental HealthNursingNutritionOccupational Health and SafetyOrganizationsPharmacyProducts and ShoppingProfessionsPublic Health and SafetyPublicationsReproductive HealthResourcesSenior HealthSensesServicesSupport GroupsTeen HealthWeight LossWomen's HealthHomeApartment LivingConsumer InformationCookinglyrics lyrics
[ Reply to This ]

Interview with GNU TLS developer Nikos Mavroyanopoulos | 8 comments (8 topical, editorial) | Post A Comment
View: Display: Sort:

Verbatim copying and distribution of this article is permitted in any medium, provided this notice is preserved. Images of gnu:s in the logo are © Free Software Foundation, Inc and distributed under the GNU General Public License. Comments are copyright by thir respective owner. All other material are © 2002 .