[openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback
Benjamin Kaduk
bkaduk at akamai.com
Wed Nov 18 17:12:59 UTC 2015
On 11/18/2015 07:05 AM, Hubert Kario wrote:
> So, a full CAdES-A, XAdES-A or PAdES-A implementation _needs_ to support
> both relatively modern TLS with user certificates, preferably the newest
> cryptosystems and hashes as well as the oldest ones that were
> standardised and used.
>
> That means that old algorithms MUST remain in OpenSSL as supported
> functionality. It may require linking to a specific library to make the
> EVP* with old ciphers, MACs, etc. work, but they MUST NOT be removed
> from it completely, definitely not before at least 50 years _after_ they
> became obsolete and broken.
>
There seems to be a logical leap between these two paragraphs. Why is
it necessary that OpenSSL be the only cryptographic library used by
CAdES-A/etc. implementations? Is it in fact even necessary that only a
single version of a single cryptographic library be used for such
software? While OpenSSL may try to be a general-purpose crypto library,
when a software has stringent or unusual crypto requirements, it seems
reasonable that such a software may need to involve unusual implementations.
I do not believe that OpenSSL has promised anywhere that it will support
this sort of use case.
-Ben
More information about the openssl-users
mailing list