> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Salz, Rich > Sent: Thursday, July 09, 2015 15:29 > To: openssl-users at openssl.org > Subject: Re: [openssl-users] Old "RSA_NET" key format > > > Because both methods confirm your prior decisions, you therefore > conclude that you were always right in the first place. > > Provably wrong. I wanted to get rid of Netware support as the first example > that comes to mind. As the second, I want to move all uses of RC4 and MD5 > to LOW strength ciphers. Neither one of those things is happening. As one of the people who complained (publicly) about the proposal to move RC4 to LOW, I have to support Rich here. He did ask about it on the list, there were complaints, and the mooted change was abandoned (at that time; it may of course come up again, which I think is reasonable). In the flurry of changes to the OpenSSL development staff and processes after Heartbleed, some people - myself included - had the impression that the team was making changes to OpenSSL too quickly, with insufficient community input. Since then I for one have come to feel that they're being more measured and careful about making those changes than I originally believed. Removing little-used, archaic features always poses some danger of breaking existing applications. However, it's also a potent way to retire technical debt and refactor other parts of the code base, making the whole easier to maintain, which is a benefit to people not using those features. It's a procedure that shouldn't be undertaken lightly, but software development is always a matter of compromises, and sometimes it's the best compromise available. -- Michael Wojcik Technology Specialist, Micro Focus
