[openssl-project] [openssl-dev] Blog post; changing in email, crypto policy, etc

Mon Jan 22 16:25:25 UTC 2018

➢ ??? Humans communicate with words. If we are to agree on something,
    words is *all* we have to use. And wordings have meanings too...

Fair point.

➢     Let me rephrase. "It's another thing to *purposefully* introduce options
    known to be insecure by the time of introduction."

Yes run-time and compile-time is something to keep in mind.

We do not plan to introduce any insecure options that are enabled by default.  Option refers to compile-time and build-time both.  But I’ve been in this field for a long time, and I don’t think we can guarantee that it will not happen.  For example, the extra-entropy extension, the DualEC DRBG, etc.

Ok?