On Wednesday 18 November 2015 14:34:41 Benjamin Kaduk wrote: > On 11/18/2015 12:52 PM, Blumenthal, Uri - 0553 - MITLL wrote: > > On 11/18/15, 12:12 , "openssl-dev on behalf of Benjamin Kaduk" > > > > <openssl-dev-boun...@openssl.org on behalf of bka...@akamai.com> wrote: > >> On 11/18/2015 07:05 AM, Hubert Kario wrote: > >>> So, a full CAdES-A, XAdES-A or PAdES-A implementation _needs_ to > >>> support > >>> both relatively modern TLS with user certificates, preferably the > >>> newest > >>> cryptosystems and hashes as well as the oldest ones that were > >>> standardised and used. > >>> > >>> That means that old algorithms MUST remain in OpenSSL as supported > >>> functionality. It may require linking to a specific library to > >>> make the EVP* with old ciphers, MACs, etc. work, but they MUST > >>> NOT be removed from it completely, definitely not before at least > >>> 50 years _after_ they > >>> became obsolete and broken. > >> > >> There seems to be a logical leap between these two paragraphs. Why > >> is it necessary that OpenSSL be the only cryptographic library > >> used by CAdES-A/etc. implementations? > > > > Because it used to be the only real game in town, and *people > > learned to rely upon it*. > > > >> Is it in fact even necessary that only a > >> single version of a single cryptographic library be used for such > >> software? > > > > No, of course not. But after letting people depend on this “single > > cryptographic library” for many years, telling them “too bad” isn’t > > very nice. > > I guess I'm just having a hard time wrapping my head around why, upon > hearing that the volunteer-run project is giving years' advance notice > that certain features will be removed, the response is insistence > that everything must remain supported forever, instead of using the > advance notice to investigate alternatives. Volunteers should be > allowed to ease up when they need to, after all.
not everything If there was a queue to axe MD5 and SHA-1 signatures, 1DES ciphers, RC4 and export grade ciphers in libssl, you can be sure you'll find me at front of it we already removed SSLv2 from 1.1.0 and nobody really argued that it needs to stay But libcrypto needs to support legacy stuff because it needs to handle data at rest, not only data in transit. Those two are completely different worlds. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev