[openssl-project] Policy update

Benjamin Kaduk kaduk at mit.edu
Sat Dec 23 05:53:20 UTC 2017


On Fri, Dec 22, 2017 at 03:28:50PM +0100, Kurt Roeckx wrote:
> 
> I think at least the wording could be improved. For instance, it
> says "All [new] algorithms and protocols must be disableable". I
> assume it means cryptographic algorithms, like AES, SHA2, HMAC, ...
> Does something like CMS and X509 fall under that? It doesn't sound
> like an algorithm to me, and protocol also doesn't seem like the
> correct word. The same goes for the "All algorithms and protocols
> should be [standardised]".
> 
> On a related topic, I think there has been a suggestion that we
> should work on not exposing such compile time options in the
> public headers but that applications should do runtime detection
> of the available features instead.

I agree with these concerns about exposing the compile-time options
in the public headers, but I also have concerns about the number of
compile-time options in general.  Growth of compile-time options
brings *exponential* growth in the number of possible "supported"
configurations, which places a huge maintenance burden on us.  Do we
really need to take on that burden?

-Ben


More information about the openssl-project mailing list