[openssl-dev] [openssl-users] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Wed Nov 18 18:52:47 UTC 2015
On 11/18/15, 12:12 , "openssl-dev on behalf of Benjamin Kaduk"
<openssl-dev-bounces at openssl.org on behalf of bkaduk at akamai.com> wrote:
>On 11/18/2015 07:05 AM, Hubert Kario wrote:
>> So, a full CAdES-A, XAdES-A or PAdES-A implementation _needs_ to
>>support
>> both relatively modern TLS with user certificates, preferably the
>>newest
>> cryptosystems and hashes as well as the oldest ones that were
>> standardised and used.
>>
>> That means that old algorithms MUST remain in OpenSSL as supported
>> functionality. It may require linking to a specific library to make the
>> EVP* with old ciphers, MACs, etc. work, but they MUST NOT be removed
>> from it completely, definitely not before at least 50 years _after_
>>they
>> became obsolete and broken.
>
>There seems to be a logical leap between these two paragraphs. Why is
>it necessary that OpenSSL be the only cryptographic library used by
>CAdES-A/etc. implementations?
Because it used to be the only real game in town, and *people learned to
rely upon it*.
>Is it in fact even necessary that only a
>single version of a single cryptographic library be used for such
>software?
No, of course not. But after letting people depend on this “single
cryptographic library” for many years, telling them “too bad” isn’t very
nice.
>While OpenSSL may try to be a general-purpose crypto library,
>when a software has stringent or unusual crypto requirements, it seems
>reasonable that such a software may need to involve unusual
>implementations.
The requirements did not change. What changed was the maintainers
expressing their desire to stop supporting some of them.
>I do not believe that OpenSSL has promised anywhere that it will support
>this sort of use case.
Implicitly, by providing that kind of service for so long. And explicitly,
as pointed out by Hubert:
From the main web page of project:
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, *full-featured*, and Open Source toolkit
implementing the Transport Layer Security (TLS) and Secure Sockets
Layer (SSL) protocols as well as a full-strength *general purpose*
*cryptography library* .
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151118/4001513c/attachment-0001.bin>
More information about the openssl-dev
mailing list