[openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2

[Salz, Rich]

> From: Michael Wojcik [mailto:Michael.Wojcik at microfocus.com]

Thanks for the detailed and thoughtful response.  I only want to respond to a few of your points.

> One is simply that we're seeing a lot of
> OpenSSL roadmap announcements. That's good in the sense that before the
> funding boost, progress was of course much slower and communication
> much less frequent. On the other hand, it's worrying because those changes
> have consequences for developers working with OpenSSL, and so we need
> to account for them in our plans.

It seems to me that now folks are being told what is coming (or planned, or might, or we want to) a pretty long time in advance.  I don't think that's ever happened before. I understand the stress this can cause -- "how will we handle it" -- but at least there's advance notice now, which there never was before.  Also, keep in mind that the big flurry of activity is happening in master, which isn't going to be released until, at best, year-end.  That's a pretty long time. And we are working pretty hard to keep the community informed and engaged. 

> And while those announcements are
> generally couched as requests for feedback, arguments against them usually
> don't seem to carry much weight.

I disagree with this.  On the platform issue, Netware was kept and nodbody else raised an issue.  On the #ifdef issue, Brian Smith raised a concern and Richard reassured him. On the API issue, Jakob is upset; some of that is, supposedly, addressed by overall retaining the crypto API's, and some of it we just disagree. On the cipher strength, the discussion is still ongoing and I haven't seen much support for Viktor's viewpoint.  Have I missed any?

--  
Principal Security Engineer, Akamai Technologies
IM: rsalz at jabber.me Twitter: RichSalz