On Thu, 2017-08-31 at 13:02 -0400, Tom Callaway wrote: > > On 08/20/2017 07:50 PM, Sérgio Basto wrote: > > Hello, > > I reopen or start thinking again on this question of enable > > elliptic > > curves of openssl [1] > > So going directly to the point, may I built all source of openssl > > in > > copr [2] ? or at least some other curves that fedora package don't > > ship? > > The curves and functionality which are disabled in the Fedora > packages > of OpenSSL are done so for legal reasons. hum > The very nature of those "legal reasons" makes it difficult to be > more > specific, as doing so could potentially expose Red Hat to increased > liability. I realize this is problematic, but it is the reality we > have > to work with. > > Red Hat is still liable for packages in coprs, so you cannot put a > "all > source build" of openssl there. > > However, I would ask if there is a specific curve that is not enabled > in > OpenSSL that you need for a specific reason, please let me know, as I > am > willing to look into the legal specifics around any justified cases > to > see what we can do. Yes , some people, I mean, not just me, asked to enable some curves, I had summarize it in [1] . We ask to enable prime192v1, secp224r1 and sect233k1 elliptic curves but the reply was: "I would view enabling EC curves smaller than 256 bits as a security regression. So I am wontfixing this bug. " So first, is legal have prime192v1, secp224r1 and sect233k1 enabled ? On other hand, I prefer have a blacklist of legal curves, than a white list like we have today. I think if openssl distribute it, should be a gray area, because if IIRC Debian enable all or at least much more (I have to check that better ...) [1] https://bugzilla.redhat.com/show_bug.cgi?id=1405843#c5 > ~tom -- Sérgio M. B. _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx