[openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

Benjamin Kaduk bkaduk at akamai.com
Wed Nov 18 17:12:59 UTC 2015

On 11/18/2015 07:05 AM, Hubert Kario wrote:
> So, a full CAdES-A, XAdES-A or PAdES-A implementation _needs_ to support 
> both relatively modern TLS with user certificates, preferably the newest 
> cryptosystems and hashes as well as the oldest ones that were 
> standardised and used.
> That means that old algorithms MUST remain in OpenSSL as supported 
> functionality. It may require linking to a specific library to make the 
> EVP* with old ciphers, MACs, etc. work, but they MUST NOT be removed 
> from it completely, definitely not before at least 50 years _after_ they 
> became obsolete and broken.

There seems to be a logical leap between these two paragraphs.  Why is
it necessary that OpenSSL be the only cryptographic library used by
CAdES-A/etc. implementations?  Is it in fact even necessary that only a
single version of a single cryptographic library be used for such
software?  While OpenSSL may try to be a general-purpose crypto library,
when a software has stringent or unusual crypto requirements, it seems
reasonable that such a software may need to involve unusual implementations.

I do not believe that OpenSSL has promised anywhere that it will support
this sort of use case.


More information about the openssl-users mailing list