[openssl-dev] [openssl-users] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback
Hubert Kario
hkario at redhat.com
Mon Nov 23 12:19:10 UTC 2015
On Friday 20 November 2015 12:58:59 John Denker wrote:
> On 11/19/2015 12:28 PM, Viktor Dukhovni wrote:
> > What algorithms people use on
> > their own data is their choice and risk decision not ours.
>
> To say the same thing yet another way, fundamentally we have a
> communication problem, or rather two separate communication
> problems:
> A) The experts on this list know that certain crypto primitives
> are "broken or outdated". This needs to be communicated to the
> people who are actually in a position to make and implement
> policy.
> B) There is some question as to whether users in the field have
> received message (A) and successfully ended all use of the
> deprecated primitives. It would be nice if the people who
> know the status could communicate this back to the developers.
There are certain situations in which using "broken or outdated"
algorithms is both secure and unavoidable.
See my email from Wed, 18 Nov 2015 14:05:07 +0100.
And to repeat myself: TLS is *not* the only way OpenSSL is used.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151123/7e8d03fb/attachment.sig>
More information about the openssl-dev
mailing list