Reducing the security bits for MD5 and SHA1 in TLS - OTC or OMC vote?

Matt Caswell matt at openssl.org
Wed May 27 14:48:26 UTC 2020



On 27/05/2020 15:33, Tomas Mraz wrote:
> On Wed, 2020-05-27 at 14:16 +0000, Dr. Matthias St. Pierre wrote:
>>> IMO it seems appropriate to have an OMC vote on this topic (or
>>> should it
>>> be OTC?). Possible wording:
>>
>> Personally, I would prefer if technical questions would by default be
>> discussed (and voted on)
>> by the OTC, unless an OMC member explicitly puts in his veto and
>> claims that higher level
>> strategical interests of the OpenSSL project are affected.
>>
>> But according to the current wording of the bylaws, I would say it is
>> a 'feature requirement' and
>> requires an OMC vote:
> 
> I do not understand this to be a 'feature requirement' - IMO if this
> was a 'feature requirement' it would mean that OMC decides that
> something must be implemented in such and such way that the OpenSSL 3.0
> does this and that as a feature. But we do not do that for every
> feature that is being added to master. So I do not even think this
> requires any formal vote, unless someone from OTC or OMC calls for it
> explicitly.
> 
> Of course it is kind-of API break but again I do not think every API
> break in OpenSSL 3.0 was voted upon by OMC.
> 
> I mean I am definitely not against having a vote if someone feels it
> should be done but if nobody requires it, I do not think it would be a
> violation of anything if this is merged without a vote.

I think there should be a vote. IMO such a significant break should be
done as a result of a positive decision and not on the basis of a very
small number of people approving a PR.

I can see arguments both ways for it being an OTC vote or an OMC vote.
To an extent it is purely a technical decision i.e. to answer the
question: "does it technically make sense to make this change?"

It also has a business requirements aspect to it i.e. to answer the
question "would this have such a significant impact on the OpenSSL user
base that, regardless of its technical merits, we still shouldn't do it?"

On reflection though I'm not sure that the technical merits of this are
particularly controversial. So I'm thinking that the OMC is still the
right forum for this. However if someone else thinks that the
*technical* arguments are controversial there is no reason why we
couldn't have an OTC vote *as well*. I won't be proposing that though.


Matt




More information about the openssl-project mailing list