[openssl-users] Old "RSA_NET" key format

Michael Wojcik Michael.Wojcik at microfocus.com
Fri Jul 10 15:43:47 UTC 2015


> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Salz, Rich
> Sent: Thursday, July 09, 2015 15:29
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] Old "RSA_NET" key format
> 
> > Because both methods confirm your prior decisions, you therefore
> conclude that you were always right in the first place.
> 
> Provably wrong.  I wanted to get rid of Netware support as the first example
> that comes to mind.  As the second, I want to move all uses of RC4 and MD5
> to LOW strength ciphers.  Neither one of those things is happening.

As one of the people who complained (publicly) about the proposal to move RC4 to LOW, I have to support Rich here. He did ask about it on the list, there were complaints, and the mooted change was abandoned (at that time; it may of course come up again, which I think is reasonable).

In the flurry of changes to the OpenSSL development staff and processes after Heartbleed, some people - myself included - had the impression that the team was making changes to OpenSSL too quickly, with insufficient community input. Since then I for one have come to feel that they're being more measured and careful about making those changes than I originally believed.

Removing little-used, archaic features always poses some danger of breaking existing applications. However, it's also a potent way to retire technical debt and refactor other parts of the code base, making the whole easier to maintain, which is a benefit to people not using those features. It's a procedure that shouldn't be undertaken lightly, but software development is always a matter of compromises, and sometimes it's the best compromise available.

-- 
Michael Wojcik
Technology Specialist, Micro Focus



More information about the openssl-users mailing list