PR 11575 <https://github.com/openssl/openssl/pull/11575> has been blocking 
awaiting decision for a while now.  Time for a vote:

topic: Merge #11575 for 3.0.
comment: This PR removes the notes indicating that a number of the command
         line utilities are deprecated.  Not merging it will leave them flagged
         as deprecated.
Proposed by: Paul Dale
Public: yes
opened: 2020-05-08

Ideally we’ll have a decision in time for the next 3.0 alpha release.


The crux of the matter is that a number of the command line utilities are 
flagged as deprecated currently:
dhparam
dsa
dsaparam
ec
ecparam
agendas
rsa
These commands are not being removed in 3.0, instead they’ve been rewritten to 
use the PKEY APIs instead of the low level APIs as far as possible.


The reasons for keeping them are:
they are easier to use than the pkey replacements
a web search will likely result in thees commands not the pkey replacements.

The reason for removing them is one of maintenance: having duplicate commands 
means having to make changes in two places and this has been missed in the past 
and will be in the future.


Other random notes:
Deprecation of these commands does not mandate that they are removed at the 
first opportunity.  It only indicates that we want to move away from them.
Rewriting these commands so that they call the pkey replacements looks to be 
very difficult.  Reproducing the exact behaviours will be challenging, although 
the basic functionality would be straightforward.
The rsautl command is deprecated and isn’t slated for being restored — pkeyutl 
is every bit as easy to use.
The -dsaparam option to dhparam is deprecated — it cannot be supported without 
direct access to low level functionality we want to remove.
Post quantum crypto will make the discussion obsolete — none of these 
algorithms are useful in a quantum computer world.

My personal opinion is that these commands are good being deprecated but that 
we should not remove them until their usefulness is at an end.  This will 
likely mean not removing them after five years of deprecation.  It would mean 
removing them once quantum computers are shown to be effective.  Without 
deprecation now, we can’t remove them until a lot later.


Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




Reply via email to