[openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity
Viktor Dukhovni
openssl-users at dukhovni.org
Sun Feb 28 17:25:59 UTC 2016
> On Feb 28, 2016, at 12:17 PM, Jeffrey Walton <noloader at gmail.com> wrote:
>
> Thanks Viktor.
>
> Here's the practical problem I am trying to solve. Its a policy and
> procedure problem.
>
> Suppose an organization has a rule that says, "no private APIs shall
> be used". How do I tell an organization to differentiate between
> public and private APIs to ensure compliance with the policy? What do
> I tell QA to verify compliance with the policy?
With respect to OpenSSL, such a policy is untenable for applications that
use advanced under-documented portions of the API. OpenSSL does not
currently provide a comprehensive definition of the public API.
For applications that use only the most commonly used features, the best
bet is to only use documented interfaces. If you're using undocumented
features, you're going out on a limb. If you're using something undocumented,
but clearly important and broadly useful, contribute documentation!
--
Viktor.
More information about the openssl-dev
mailing list