Re: [openssl-dev] [openssl-users] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

Wed, 18 Nov 2015 10:53:36 -0800 

On 11/18/15, 12:12 , "openssl-dev on behalf of Benjamin Kaduk"
<openssl-dev-boun...@openssl.org on behalf of bka...@akamai.com> wrote:

>On 11/18/2015 07:05 AM, Hubert Kario wrote:
>> So, a full CAdES-A, XAdES-A or PAdES-A implementation _needs_ to
>>support 
>> both relatively modern TLS with user certificates, preferably the
>>newest 
>> cryptosystems and hashes as well as the oldest ones that were
>> standardised and used.
>>
>> That means that old algorithms MUST remain in OpenSSL as supported
>> functionality. It may require linking to a specific library to make the
>> EVP* with old ciphers, MACs, etc. work, but they MUST NOT be removed
>> from it completely, definitely not before at least 50 years _after_
>>they 
>> became obsolete and broken.
>
>There seems to be a logical leap between these two paragraphs.  Why is
>it necessary that OpenSSL be the only cryptographic library used by
>CAdES-A/etc. implementations?

Because it used to be the only real game in town, and *people learned to
rely upon it*.

>Is it in fact even necessary that only a
>single version of a single cryptographic library be used for such
>software? 

No, of course not. But after letting people depend on this “single
cryptographic library” for many years, telling them “too bad” isn’t very
nice.

>While OpenSSL may try to be a general-purpose crypto library,
>when a software has stringent or unusual crypto requirements, it seems
>reasonable that such a software may need to involve unusual
>implementations.

The requirements did not change. What changed was the maintainers
expressing their desire to stop supporting some of them.

>I do not believe that OpenSSL has promised anywhere that it will support
>this sort of use case.

Implicitly, by providing that kind of service for so long. And explicitly,
as pointed out by Hubert:

        From the main web page of project:

                The OpenSSL Project is a collaborative effort to develop a 
robust,
                commercial-grade, *full-featured*, and Open Source toolkit
                implementing the Transport Layer Security (TLS) and Secure 
Sockets
                Layer (SSL) protocols as well as a full-strength *general 
purpose*
                *cryptography library* .

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to