On Monday 16 November 2015 19:51:08 Emilia Käsper wrote: > One more time, > > I know that someone, somewhere is probably using any given feature of > OpenSSL. I am looking to gather information about concrete, actively > maintained applications that may be using one of those algorithms, to > build a more complete picture. > > If you are aware of a concrete use of MD2 or any of the other > algorithms, please let us know!
And I'm saying that it is next-to impossible for me to say for certain because standards like CMS, S/MIME, PKCS#8 and X.509 are extensible and self descriptive. The file itself says which algorithms are needed to process it. So without access to _all_ _data_ that the applications need to process it is impossible for me to tell which of those algorithms are necessary for continued operation of those applications. Example: CAdES V1.2.2 was published in late 2000, the first serious attacks on MD2 were not published until 2004. I think it is not unreasonable for CAdES-A documents to exist today which were originally signed with MD2 while it was still considered secure and that are still relevant today, just 15 years later. > Thanks, > Emilia > > On Mon, Nov 16, 2015 at 7:25 PM, Hubert Kario <hka...@redhat.com> wrote: > > On Monday 16 November 2015 16:51:10 Emilia Käsper wrote: > > > IDEA, MD2, MDC2, RC5, RIPEMD, SEED, Whirlpool, binary curves > > > > > > This isn't of course entirely representative of widespread usage. > > > However Google's multi-billion line codebase now builds against > > > BoringSSL and therefore largely does not depend on these > > > algorithms. > > > Those billions of lines aren't all new and shiny code written in > > > 2015, and some of it does have to interoperate with the outside > > > world. > > > > > > And here's the list gone from LibreSSL, from what I can tell: > > > > > > MD2, MDC2, RC5, SEED > > > > > > Neither have removed CAST, and there is presumably a good reason > > > for > > > that. (PGP?) > > > > > > It seems to me that these can pretty safely go: > > > > > > MD2 - (The argument that someone somewhere may want to keep > > > verifying > > > old MD2 signatures on self-signed certs doesn't seem like a > > > compelling enough reason to me. It's been disabled by default > > > since > > > OpenSSL 1.0.0.) MDC2 > > > SEED > > > RC5 > > > > > > These could probably stay (C only): > > > > > > CAST > > > IDEA > > > RIPEMD (used in Bitcoin?) > > > WHIRLPOOL > > > > > > as well as > > > > > > BLOWFISH > > > MD4 > > > RC2 > > > > > > I am on the fence about the binary curves: I am not aware of any > > > usage, really, and it's not about to pick up now. > > > > I'm afraid you're too focused on TLS/SSL use case. And while it is > > important it's not the only use case the OpenSSL does serve. > > > > And for what it's worth, I'm very much *for* removing as much (and > > as > > fast as possible) support for the old junk (or unused stuff - like > > curves < 256 bit) in TLS. Search the archives for "Insecure DEFAULT > > cipher set" for an example. > > > > But stuff like this: > > > The argument that someone somewhere may want to keep verifying > > > old MD2 signatures on self-signed certs > > > > is not true. I was talking about document signatures, time stamps, > > CRL signatures and certificate signatures in general. Not the trust > > anchors or their self-signatures. > > > > -- > > Regards, > > Hubert Kario > > Senior Quality Engineer, QE BaseOS Security team > > Web: www.cz.redhat.com > > Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
