[openssl-users] The evolution of the 'master' branch

Michael Felt aixtools at gmail.com
Sat Feb 7 11:12:26 UTC 2015


>From someone who does NOT understand the in's and out's of what people
(developers and users) have been using openSSL for.
My first reaction is: have developers been using openSSL, or has it gone to
abusing it?
For the sake of argument - let's say just use as it has always been
intended.

Many technologies - especially related to security - whether it be a big
log through 'something', to skeleton keys', to digital keys, etc - we want
to be able to trust our locks. When the lock technology is no longer
trustworthy - whether it be packaging (which is what the discussion sounds
like atm) or unrepairable "concerns" with the technology asis - we change
our locks.

Not everyone changes locks at the same moment in time. urgency depends on
need, i.e., what is at risk.

I started following these discussions because I am concerned (remember I am
not really interested in the inner workings. I just think my locks are
broken and wondering if it is time to change to something that maybe "can
do less" - but what it does, does it better than what I have now.

Regardless of the choices made by openssl - people outside openssl have
needs and are looking at alternatives. To someone like me it is obvious
something must change - even if technically it is cosmetic - because
(open)SSL is losing the trust of it's users.

As a user - I need a alternative. And just as I stopped using
telnet/ftp/rsh/etc- because I could not entrust the integrity of my systems
when those doors were open - so are my concerns re: (open)SSL. In short, is
SSL still secure? And, very simply, as an un-knowledgeable user - given the
choice of a library that does something well - and that's it, versus
something else that does that - but leaves room for 'experiments' - Not on
my systems. Experiment in experiment-land.

My two bits.

On Fri, Feb 6, 2015 at 9:59 PM, Matt Caswell <matt at openssl.org> wrote:

>
>
> On 06/02/15 16:03, Jakob Bohm wrote:
> > I believe you have made the mistake of discussing only amongst
> > yourselves, thus gradually convincing each other of the
> > righteousness of a flawed decision.
>
>
> ...and, Rich said in a previous email (in response to your comment):
> >> I fear that this is an indication that you will be killing
> >> off all the other non-EVP entrypoints in libcrypto
> >
> > Yes there is a good chance of that happening.
>
> I'd like to stress that there has been no decision. In fact we're not
> even close to a decision on that at the moment.
>
> Whilst this has certainly been discussed I don't believe we are near to
> a consensus view at the moment. So whilst there is a good chance of that
> happening....there's also a very good chance of it not. It is still
> under discussion.
>
> Matt
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150207/9dbbb8bc/attachment-0001.html>


More information about the openssl-users mailing list