Amazon has announced a new TLS implementation. From the ZDnet article:
Rather than try to cover all of SSL/TLS's full range of extensions, s2n, with its mere 6,000 lines of code, focuses only on encryption. This means that Amazon is not trying to replace OpenSSL. Schmidt wrote that "Amazon remains committed to supporting [OpenSSL] through our involvement in the Linux Foundation's Core Infrastructure Initiative."
Instead, s2n replaces the functionality of only one of OpenSSL's two main libraries: Libssl, which implements TLS. There is no s2n equivalent to libcrypto, OpenSSL's general-purpose cryptography library. Thus, s2n can take the place of "libssl," but not "libcrypto."
takyon: For comparison, about 70,000 lines of code in OpenSSL are involved in processing TLS.
(Score: 0) by Anonymous Coward on Thursday July 02 2015, @07:55AM
In addition to the problems you list, here's a good blog post covers what's wrong with DNSSEC [sockpuppet.org]. And here's the Mozilla [mozilla.org] and Google [google.com] bugs saying they won't support it.
One detail is that my understanding of TLSA records is that like HPKP let you reference any key in the chain, which could be the CA's key (master or intermediate) or your own.