Re: so why is IETF stilling adding DES to protocols? (Re: It's official... DES is History)

[Ben Laurie]

Lucky Green wrote:
> 
> OpenSSL is a library. It should support whatever the standard supports and
> whatever users and/or authors of the lib desire to be in the lib. That may
> include broken or null-ciphers. But the user should have to take positive
> action to get at the broken ciphers. I believe by default, OpenSSL should
> ship with the weak ciphers disabled. And there should be a clear warning:
> "Not secure, don't fool yourself, do not use, etc]".

Its funny you should say that, because I was just working around to the
same conclusion myself. I anticipate resistance from both users and some
of the other developers, because it will break almost every
out-of-the-box installation, and it will be argued that the "user
experience" is far more important that this piffling security stuff.
Sigh. Ah well, here goes.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
     - Indira Gandhi