>From someone who does NOT understand the in's and out's of what people (developers and users) have been using openSSL for. My first reaction is: have developers been using openSSL, or has it gone to abusing it? For the sake of argument - let's say just use as it has always been intended. Many technologies - especially related to security - whether it be a big log through 'something', to skeleton keys', to digital keys, etc - we want to be able to trust our locks. When the lock technology is no longer trustworthy - whether it be packaging (which is what the discussion sounds like atm) or unrepairable "concerns" with the technology asis - we change our locks. Not everyone changes locks at the same moment in time. urgency depends on need, i.e., what is at risk. I started following these discussions because I am concerned (remember I am not really interested in the inner workings. I just think my locks are broken and wondering if it is time to change to something that maybe "can do less" - but what it does, does it better than what I have now. Regardless of the choices made by openssl - people outside openssl have needs and are looking at alternatives. To someone like me it is obvious something must change - even if technically it is cosmetic - because (open)SSL is losing the trust of it's users. As a user - I need a alternative. And just as I stopped using telnet/ftp/rsh/etc- because I could not entrust the integrity of my systems when those doors were open - so are my concerns re: (open)SSL. In short, is SSL still secure? And, very simply, as an un-knowledgeable user - given the choice of a library that does something well - and that's it, versus something else that does that - but leaves room for 'experiments' - Not on my systems. Experiment in experiment-land. My two bits. On Fri, Feb 6, 2015 at 9:59 PM, Matt Caswell <matt at openssl.org> wrote: > > > On 06/02/15 16:03, Jakob Bohm wrote: > > I believe you have made the mistake of discussing only amongst > > yourselves, thus gradually convincing each other of the > > righteousness of a flawed decision. > > > ...and, Rich said in a previous email (in response to your comment): > >> I fear that this is an indication that you will be killing > >> off all the other non-EVP entrypoints in libcrypto > > > > Yes there is a good chance of that happening. > > I'd like to stress that there has been no decision. In fact we're not > even close to a decision on that at the moment. > > Whilst this has certainly been discussed I don't believe we are near to > a consensus view at the moment. So whilst there is a good chance of that > happening....there's also a very good chance of it not. It is still > under discussion. > > Matt > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150207/9dbbb8bc/attachment-0001.html>