Re: Do we really want to have the legacy provider as opt-in only?

2019-07-17 Thread Tim Hudson
My view point (which has been stated elsewhere) is that OpenSSL-3.0 is
about internal restructuring to allow for the various things noted in the
design documents.
It is not about changing the feature set (in a feature reduction sense).

In future releases we will make the mixture of providers available more
capable and may adjust what algorithms are available and may even do things
like place national ciphers in separate providers.
But OpenSSL-3.0 is *not* the time to do any of those things.

We should be focused on the restructuring and getting the FIPS140 handling
in place and not making policy decisions about changing algorithm
availability or other such things.
The objective is that the vast majority of applications that use
OpenSSL-1.1 can use OpenSSL-3.0 with a simple recompilation without any
other code changes.

That I believe has been our consistent out-bound message in discussions as
a group and our overall driver.

In the future, things may become more dynamic and we may change the
algorithm sets and may use more configuration based approaches and may even
place each algorithm in a separate provider and allow for a whole range of
dynamic handling.
But those are for the future. OpenSSL-3.0 is basically an internally
restructured version of OpenSSL-1.1 with a FIPS140 solution.

Tim.


Re: Do we really want to have the legacy provider as opt-in only?

2019-07-17 Thread Salz, Rich
>  If DSA is almost never used, why enable it by default?

I am amused/bemused that, after years of saying we do not know what people are 
doing with OpenSSL, it now is now becoming common practice to blithely assert 
"this is not used" when it fits the personal viewpoint of some folks.