OMC Vote on deprecation of command line apps

Dr Paul Dale paul.dale at oracle.com
Fri May 8 05:08:07 UTC 2020


PR 11575 <https://github.com/openssl/openssl/pull/11575> has been blocking awaiting decision for a while now.  Time for a vote:

topic: Merge #11575 for 3.0.
comment: This PR removes the notes indicating that a number of the command
         line utilities are deprecated.  Not merging it will leave them flagged
         as deprecated.
Proposed by: Paul Dale
Public: yes
opened: 2020-05-08

Ideally we’ll have a decision in time for the next 3.0 alpha release.


The crux of the matter is that a number of the command line utilities are flagged as deprecated currently:
dhparam
dsa
dsaparam
ec
ecparam
agendas
rsa
These commands are not being removed in 3.0, instead they’ve been rewritten to use the PKEY APIs instead of the low level APIs as far as possible.


The reasons for keeping them are:
they are easier to use than the pkey replacements
a web search will likely result in thees commands not the pkey replacements.

The reason for removing them is one of maintenance: having duplicate commands means having to make changes in two places and this has been missed in the past and will be in the future.


Other random notes:
Deprecation of these commands does not mandate that they are removed at the first opportunity.  It only indicates that we want to move away from them.
Rewriting these commands so that they call the pkey replacements looks to be very difficult.  Reproducing the exact behaviours will be challenging, although the basic functionality would be straightforward.
The rsautl command is deprecated and isn’t slated for being restored — pkeyutl is every bit as easy to use.
The -dsaparam option to dhparam is deprecated — it cannot be supported without direct access to low level functionality we want to remove.
Post quantum crypto will make the discussion obsolete — none of these algorithms are useful in a quantum computer world.

My personal opinion is that these commands are good being deprecated but that we should not remove them until their usefulness is at an end.  This will likely mean not removing them after five years of deprecation.  It would mean removing them once quantum computers are shown to be effective.  Without deprecation now, we can’t remove them until a lot later.


Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-project/attachments/20200508/d5e04368/attachment.html>


More information about the openssl-project mailing list