On Tue, Nov 17, 2015 at 7:21 AM, Emilia K?sper <emilia at openssl.org> wrote: > > > On Tue, Nov 17, 2015 at 11:12 AM, Jeffrey Walton <noloader at gmail.com> wrote: >> >> > MD2 - (The argument that someone somewhere may want to keep verifying >> > old >> > MD2 signatures on self-signed certs doesn't seem like a compelling >> > enough >> > reason to me. It's been disabled by default since OpenSSL 1.0.0.) >> > ... >> Apple still provides two Verisign certificates using >> md2WithRSAEncryption. Confer, >> https://support.apple.com/en-us/HT203065. > > > Setting aside the debate of whether verifying trust store signatures is > useful, whether verifying MD2 signatures has any practical security value, > or whether OpenSSL + iOS is a meaningful combination: > > This is iOS7. The current release is iOS9 (trust store here: > https://support.apple.com/en-us/HT205205, MD2 certs are gone). > > Arguments like this illustrate a fundamental misunderstanding in this > thread. We are not pulling the carpet from any users TODAY. We are asking > whether there are applications that will need this code 2..3..5 years down > the line. My bad... I was not arguing either way. I was just presenting facts. Also, if OpenSSL requires iOS 9 or above, then its setting policy for users. I still have iOS 6, 7 and 8 devices because (1) some of my hardware is old and abandoned by Apple (they are trying to set policy, too, in an effort to boost sales). (2) I dislike the "cartoony" interface of iOS 7 and above. (3) I have down level OS X operating systems (due to operational requirements and personal taste), and they can't talk to iOS 8 or 9 devices. Jeff
