[openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback
Richard Moore
richmoore44 at gmail.com
Wed Nov 18 20:05:22 UTC 2015
On 18 November 2015 at 17:57, Hubert Kario <hkario at redhat.com> wrote:
> On Wednesday 18 November 2015 11:12:59 Benjamin Kaduk wrote:
> > On 11/18/2015 07:05 AM, Hubert Kario wrote:
> > > So, a full CAdES-A, XAdES-A or PAdES-A implementation _needs_ to
> > > support both relatively modern TLS with user certificates,
> > > preferably the newest cryptosystems and hashes as well as the
> > > oldest ones that were standardised and used.
> > >
> > > That means that old algorithms MUST remain in OpenSSL as supported
> > > functionality. It may require linking to a specific library to make
> > > the EVP* with old ciphers, MACs, etc. work, but they MUST NOT be
> > > removed from it completely, definitely not before at least 50 years
> > > _after_ they became obsolete and broken.
>
> > There seems to be a logical leap between these two paragraphs. Why is
> > it necessary that OpenSSL be the only cryptographic library used by
> > CAdES-A/etc. implementations? Is it in fact even necessary that only
> > a single version of a single cryptographic library be used for such
> > software?
> >
> > While OpenSSL may try to be a general-purpose crypto
> > library, when a software has stringent or unusual crypto
> > requirements, it seems reasonable that such a software may need to
> > involve unusual implementations.
> >
> > I do not believe that OpenSSL has promised anywhere that it will
> > support this sort of use case.
>
> From the main web page of project:
>
> The OpenSSL Project is a collaborative effort to develop a robust,
> commercial-grade, *full-featured*, and Open Source toolkit
> implementing the Transport Layer Security (TLS) and Secure Sockets
> Layer (SSL) protocols as well as a full-strength *general purpose*
> *cryptography library* .
>
> (emphasis mine)
>
>
I think now is the time for those who are going to provide the 50 year
support to step up to the plate then. Saying "oh but we can get it for free
for the next 50 years" doesn't work.
I think your emphasis here is exactly right though, the aim is *general
purpose* you are most definitely describing an extremely specialised
purpose that has unusual requirements.
Cheers
Rich.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151118/aac0fe88/attachment-0001.html>
More information about the openssl-users
mailing list