[openssl-users] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

[lists]

On 11/13/2015 02:40 PM, Emilia Käsper wrote:
>
> BLOWFISH - probably still in use though I don't know where exactly?

Isn't Blowfish a building block of bcrypt and/or some similar stuff? I 
think that implementations don't rely on OpenSSL but I wouldn't give it 
for granted.

As for the rest of the algorithms, a lot has been already said but I 
would like to share my personal opinion (that of someone who codes using 
the OpenSSL API since some time): I think of OpenSSL as an incredibly 
rich tool for the professionals and the students as well, if it were 
possible I would like to see all of the algorithms to be there forever, 
including the odd situation of people who must decrypt some content they 
produced a long time ago, for instance.
I understand that this is not feasable in the long-term, but we cannot 
forget that IT time is different from people time: the fact that an 
algorithm is born and becomes insecure in a few years doesn't mean that 
it won't be needed for some time, unless we accept the idea that OpenSSL 
is something to be used "for the moment being" (which is reasonable for 
SSL/TLS and communications in general, much less for file encryption and 
signature features).
So, if it were possible to keep the algorithms for a long time, 
providing a simple way to put them out of the compilation (and the 
default compilation options may just do that), that would be great. At 
least as long as they are API-compliant (of course, you cannot ask to be 
kept consistent with the rest of the code for decades).
My gratefulness to all developers, whatever it will be!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151126/34093445/attachment.html>