Hacker News new | ask | show | jobs
by tptacek 4488 days ago 

    Feature: *Certificate Validation*
      In order to *keep NSA from reading my emai*
      As a *TLS X.509 validation library*
      I want *to never erroneously validate a certificate*
What are the "Scenarios"?

      Given: *???*
      And: *???*
      When: *???*
      Then: *the certificate should be rejected*
Remember, if we're switching topics to the "goto fail" bug: that bug didn't affect every instance of certificate validation. You had to be in a particular set of ciphersuites.
2 comments
dasil003 4488 days ago
I agree with this demonstration of why acceptance tests are not going to prevent bugs like this, but I'm not so sure about unit tests. I've seen good unit tests reveal a lot of similarly difficult-to-spot bugs. Granted, a really good type system like Haskell gives you more guarantees than a test suite in less rigorously typed languages ever can, but I think you're too quick to dismiss unit tests out of hand. It's a tool in the quiver, and the reason TLS stacks don't tend to have them is not because they are not valuable, but probably because the developers weren't any good at unit testing.
link
jsmthrowaway 4488 days ago
I spent a few minutes replying to your original comment, then you ninja edited in the closing paragraph and invalidated mine, so this is where I end the conversation. I can't reply to an ever-shifting comment with someone who reads what they want to read out of my comments and invokes the NSA for no reason whatsoever.
link
tptacek 4488 days ago
You'd be a happier person if you didn't assume people were editing their comments just to make you look bad. You can be assured that if I had seen you respond to something I'd written, I'd have noted where I added to my original comment.

But I agree that you & I are better off not discussing things.

link
jsmthrowaway 4488 days ago
I'm quite a happy person and thanks for the irrelevant concern trolling, based on a comment thread that's calling you out (do you always assume people that think you're wrong are unhappy or otherwise defective?). And no, I didn't assume those words you've placed in my fingers. I was, rather, annoyed that I invested a few minutes into a playing field that you'd already moved while I worked.

If you'd permit me a brief bit of my own concern trolling: I remember when I looked forward to reading your comments, several years ago. Now I see your nickname and say "bah, again?" What changed? Was it me or you?

link