[openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

[Valerie Fenwick]

On 11/13/2015 1:20 PM, Salz, Rich wrote:
>> Actually deleting algorithms is *very* difficult.
>
> Yes.
>
> And we're doing the best we can by asking reasonably.
>
> Some people may get burnt.  Oh well.  It's open source, fork if you have to.

With all of the "unacceptable" rules coming down from Gov'ts and corp
CSOs, you'll soon find more people want them out than left in.

They become dangerous, as the code rots and nobody looks at it.

And, worse, people could use it and think it's okay because it's there.

Disabled by default is good, gone (for some of these) is better.

People will have to modernize - things will break, and we will have to tell
them: "wow, what you're doing is horribly insecure, thank goodness your
application stopped running so you could know to go fix this".

yes, there will be applications that haven't been updated in years that
"depend" on these algorithms.  But, what other security bugs lurk in
there?  Those applications likely should not be used, should be modernized
or replaced.

Given how big the changes are for 1.1.0, it seems like a generally reasonable
time to do this.

Valerie

-- 
Valerie Fenwick, http://bubbva.blogspot.com/ @bubbva
Solaris Cryptographic & Key Management Technologies, Manager
Oracle Corporation: 4180 Network Circle, Santa Clara, CA, 95054.