[openssl-project] Policy update

Kurt Roeckx kurt at roeckx.be
Wed Jan 3 21:10:26 UTC 2018


On Wed, Jan 03, 2018 at 07:57:21PM +0000, Salz, Rich wrote:
> I am less concerned about adding datatypes than I am about adding algorithms and protocols.  It is hard for a user to make themselves less secure by configuring a datatype.

I think we currently support some microsoft encrypted key format
which we reversed engineered, which clearly won't be recognized by
some standards body. But it also says "should". So maybe that can
be an exception?

Which at least makes me wonder when exceptions would be allowed and
how that should be decided. Should we document the exceptions in the
policy, and have the OMC vote on it? Or is that too bureaucratic?
It would at least be clear and something we can point people too.
I guess we can just delay this until it actually comes up.

> Do you have substantive issues with the decisions? I  agree the wording can be improved.

No, I think the wording should just be made clear what we mean
exactly.


Kurt



More information about the openssl-project mailing list