[4992] in cryptography@c2.net mail archive
Re: so why is IETF stilling adding DES to protocols? (Re: It's official... DES is History)
daemon@ATHENA.MIT.EDU (Ben Laurie)
Sat Jun 26 12:50:05 1999
Date: Sat, 26 Jun 1999 13:40:49 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: Lucky Green <shamrock@cypherpunks.to>
Cc: "Jeffrey I. Schiller" <jis@MIT.EDU>, Adam Back <aba@dcs.ex.ac.uk>,
cryptography@c2.net, cypherpunks@cyberpass.net, mleech@nortel.ca
Lucky Green wrote:
>
> OpenSSL is a library. It should support whatever the standard supports and
> whatever users and/or authors of the lib desire to be in the lib. That may
> include broken or null-ciphers. But the user should have to take positive
> action to get at the broken ciphers. I believe by default, OpenSSL should
> ship with the weak ciphers disabled. And there should be a clear warning:
> "Not secure, don't fool yourself, do not use, etc]".
Its funny you should say that, because I was just working around to the
same conclusion myself. I anticipate resistance from both users and some
of the other developers, because it will break almost every
out-of-the-box installation, and it will be argued that the "user
experience" is far more important that this piffling security stuff.
Sigh. Ah well, here goes.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
