> The OpenSSL command line is more or less a test driver / reference for the library
hmmm, not sure about that. Its the main (only?) interface if an individual wants to mess with certificates or generate them. It is often reported ACME/LE took off because it is easier to configure an ACME client than the annual wrestling with openssl. But if openssl had been easy for common user tasks maybe LE would have taken longer to be adopted.
ffmpeg also has a notoriously difficult CLI interface. Today you can just ask a LLM to generate you a command, the consequences are low if it gets it slightly wrong. The consequences of getting openssl wrong could not be obvious immediately and result in a lot of debugging down the line.
LE took off because everyone was charging ridiculous amounts for certificates and few people needed the verification that comes with that. ISRG created ACME for LE.
One of my personal frustrations with SSL as implemented in most systems is the conflation between encrypted communication and verified communication. SSH sort of got this right with ToFU as a default behavior but I think a lot of the resistance and difficulty in adopting SSL for encrypted intranet communication comes from the need to do the CA and cert signing song and dance. If you could turn on encryption without needing to do ID validation by default it would make things easier for people
I know that encrypted communication without knowing that your talking to the right person is somewhat useless, but it works for SSH most of the time, there’s no reason it couldn’t work well for https and encrypted db connections etc.
hmmm, not sure about that. Its the main (only?) interface if an individual wants to mess with certificates or generate them. It is often reported ACME/LE took off because it is easier to configure an ACME client than the annual wrestling with openssl. But if openssl had been easy for common user tasks maybe LE would have taken longer to be adopted.
ffmpeg also has a notoriously difficult CLI interface. Today you can just ask a LLM to generate you a command, the consequences are low if it gets it slightly wrong. The consequences of getting openssl wrong could not be obvious immediately and result in a lot of debugging down the line.