On 05/09/2015 05:21 AM, Douglas E Engert wrote: > > Removing the code might be the best thing that could happen.
It "might" be. That's hardly a ringing endorsement. > Misuse of the older Kerberos code in OpenSSL with SSL is not as > secure as one might think. That's not proof -- that's not even evidence that it is necessary to remove the code. More specifically, it is an awfully high-handed way to inform the users what we think is "best" for them. As previously mentioned in a different context, it is a bedrock principle of sound reasoning and sound planning that one should /Consider all the plausible scenarios./ So let's consider the following scenario: Rather than extirpating the code, we could simply add in a few instances of something like this: #error This feature is insecure, obsolete, unsupported, and vehemently deprecated. #warning This code will be removed in a future release. and leave it that way for a couple of Debian release cycles. That serves the purpose of communicating with the users, without being quite so high-handed. Also it would be good to communicate exactly what is being deprecated. All of Kerberos? Some particular combination of Kerberos+SSL???? In this scenario, users who wish to communicate a reply to us can do so, on a non-emergency basis. They can search for other ways of doing what needs to be done, on a non-emergency basis. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
