[openssl-dev] Fwd: Re: [openssl-users] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback
Peter Waltenberg
pwalten at au1.ibm.com
Tue Nov 17 22:11:40 UTC 2015
> This is an interesting idea. For completeness, it has failed in other
contexts
Well yes but it's a different context. Policy level rather than capability,
That's why I'm not in favour of removing algorithms, even changing policy
higher up the stack can cause problems, but removing basic capabilities
tends to have even unwanted side effects. I obviously have a personal
interest in this, in my case it's because I work for a company that does
provide insane support lifetimes for products.
For libcrypto itself the attack surface is near zero, it doesn't open
sockets, connect to networks, accept input. It's simply a toolbox and
there's always something else between libcrypto and an attack, if SSL
doesn't want to use MD5, well don't use MD5 but there are other users of
the toolbox. As an analogy throwing out all those 3/8th spanners just
because you've officially gone metric doesn't always work that well in
practice either.
Peter
Phone: 61-7-5552-4016 L11 & L7 Seabank
E-mail: pwalten at au1.ibm.com Southport, QLD 4215
Australia
From: Jeffrey Walton <noloader at gmail.com>
To: OpenSSL Developer ML <openssl-dev at openssl.org>
Date: 17/11/2015 20:23
Subject: Re: [openssl-dev] Fwd: Re: [openssl-users] Removing obsolete
crypto from OpenSSL 1.1 - seeking feedback
Sent by: "openssl-dev" <openssl-dev-bounces at openssl.org>
On Mon, Nov 16, 2015 at 9:06 PM, Peter Waltenberg <pwalten at au1.ibm.com>
wrote:
Why not offer another set of get_XYZ_byname() which resticts the caller
to socially acceptable algorithms. Or allows the opposite, it really
doesn't matter but restricted being the newer API breaks less code by
default.
This is an interesting idea. For completeness, it has failed in other
contexts. For example, the IETF's TLS Working Group refuses to provide such
an abstraction. See, for example,
https://www.ietf.org/mail-archive/web/tls/current/msg17611.html.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151118/bbeb53f6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151118/bbeb53f6/attachment.gif>
More information about the openssl-dev
mailing list