[Security-sig] Unified TLS API for Python

[Cory Benfield]

> On 11 Jan 2017, at 19:49, Christian Heimes <christian at cheimes.de> wrote:
> 
> AFAIK PyOpenSSL doesn't support this mode. How do we deal with
> unconnected sockets, UDP/DTLS and other transports? Are sockets limited
> to AF_INET / AF_INET6 and SOCK_STREAM?

To begin with, I think we need to restrict ourselves to SOCK_STREAM. There’s no need to get specific about address family I don’t think. As for unconnected sockets, I think I’d like to delay that concern unless someone wants to propose the API.

> In the not-so-distant future SRV-ID validation will become relevant. In
> order to support dNSName, IPAddress, and SRV-ID validation, the TLS
> socket needs the hostname (if available), IP address, port and service
> type (e.g. http, ldap, xmpp-server, …).

The advantage of this API is that it would be extensible. We can extend it as needed over time, we don’t need to shove everything in at once. So I’m inclined to want to defer this until we see what the implementations actually do.

> For hostname validation we should also define how we are going to deal
> with encodings. Is the hostname always a IDN U-label, A-label or can it
> be both?

Pass. I think you have a better idea of what is required here than I do: do you have a suggestion?