On 09/07/12 10:52, David Woodhouse wrote: > On Mon Jun 4, Tristan Santore wrote: >> this was answered 3 months ago. >> To reiterate I will post Tom's response. >> >>> Fedora is legally part of Red Hat, and Red Hat has certain legal >>> obligations it is required to adhere to, based on the fact that it is a >>> US Company. >>> >>> Elliptic Curve Cryptography is currently being reviewed. At this point >>> in time, it must not be included or enabled in Fedora. > > Has there been any progress on that since then? This is also blocking > the inclusion of GnuTLS v3; we're currently shipping 2.12 which is a > year out of date and lacking some important features and fixes. > > The GnuTLS maintainer has clarified¹ that he has *only* used parts of EC > which are documented in RFC6090 — a document which was produced > *specifically* to cover the unpatented parts of Elliptic Curve > cryptography, and which has no normative references dated later than > 1994. It even eschews the definitions of MAY/SHOULD/MUST etc. from > RFC2119 and provides its own, because RFC2119 was published later than > 1994 ☺ > > For GnuTLS at least, the approval should be fairly much a no-brainer. > > > > > _______________________________________________ > legal mailing list > legal@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/legal Tom,Richard, could somebody please look at this one and expedite the response to this. There are a few valid points there and this seems rather urgent, considering out-datedness and the bug fixes found in updated versions. In particular section 9 in RFC 6090 (page.20). http://tools.ietf.org/html/rfc6090#page-20 Quote: "Concerns about intellectual property have slowed the adoption of ECC because a number of optimizations and specialized algorithms have been patented in recent years. All of the normative references for ECDH (as defined in Section 4) were published during or before 1989, and those for KT-I were published during or before May 1994. All of the normative text for these algorithms is based solely on their respective references." Somebody will have to look at this closer to figure out, if the 17 year or the 20 year expiration period applies. Thank you. Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: TSantore@xxxxxxxxxxxxxxxxx _______________________________________________ legal mailing list legal@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/legal
