On Thu, May 13, 2004 at 04:05:38PM -0400, Michael Richardson wrote:
> 
>   If this is the only advantage, I don't think the complexity of the
> "OpenSSL" is worth it.  As many have said, the "openssl" binary is
> particularly poorly suited to actually doing anything with the library.
>   If the code is built into pkg_* - i.e. we are using libssl, not
> "openssl", great. Openssl is too hard to script.

"OpenSSL" is a single software package that supplies both libraries and
command-line tools (I'm sure you know this, I just want to be sure that
this discussion is entirely clear about it).

If you read the other messages in this thread carefully I think you'll
find that it's repeatedly suggested that the right thing to do is to
simply link the OpenSSL *libraries* into the pkg tools and avoid using
any external command-line utility.

>   Otherwise, I suggest using simpleca (http://www.vpnc.org/simpleca/ )
> or sticking with GnuPG, as sucky as I think GnuPG is.

Uh, "sticking" with GNUPG?  The very first message in this thread advocated
*adding* GNUPG to the base system; in response to which it was pointed out
both that the 'openssl' command-line utility could already do the necessary
signing and verification operations, and that it would make more sense to
link the pkg and installation tools with the OpenSSL libraries instead, and
avoid the use of either horrible command-line tool.

"Sticking with GNUPG" is not a valid reason to *add* GNUPG to the base
system.

Thor