I tested OpenSSL 0.9.8g and here's what I found.
Obviously this only with respect to the bits I've been using
recently.

1. the signature. It's signed, alright, but there's
no evidence the OpenSSL TEAM is involved in the signing.
Some German CA signing Lutz' key is a well-formed thing,
in general, I assume, but I have no reason to trust
a German CA - first of all it's PGP and there should,
imo, be multiple sigs on the signing key and they should
be sigs from the team, and second even if I wanted to use
a CA, it'd probably be documented in German.

2. the CA.pl /openssl.cnf configuration was changed
to make the root key valid for 10 years. First of all
it wasn't broken before, second that's too long.

3. "./Configure no-shared no-rc6 no-idea" now works. That's
not always been the case. I use no-rc6 and no-idea to eliminate
the patented algorithms. Thank you.

4. the debugging is still turned on in the bignum contxt
routines ("-DBN_CTX_DEBUG" is defined in Configure) and so you
can't realistically run with debug compiles because the bignum
library tries to print values during the entire RSA process :-(

To work around #4 I modify Configure to remove the BN_CTX_DEBUG
define - it works fine after that.
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org