On 10/22/2015 12:45 PM, Salz, Rich wrote: >> Maybe it would help if Victor could describe the situation in which he thinks >> that it would be appropriate to send a certificate that is signed by MD5. > Or where an application upgrades to a new library and expects EVERYTHING to > work exactly as it used to, with no changes. >
That one's actually not very hard -- in a system like FreeBSD ports or NetBSD pkgsrc, the application and the library are separately maintained within the whole tree, and when someone builds the application, they get whatever version of the library happens to be in the tree at that time. The library can easily get upgraded without the application maintainer noticing, and the automated systems are only likely to detect compilation failure, not runtime behavior changes. That is, the library update can be transparent to the end-user, who will continue to expect normal functionality and expect everything to work. -Ben _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
