On Thu, Aug 31, 2017 at 1:44 PM, Sérgio Basto <sergio@xxxxxxxxxx> wrote: > On Thu, 2017-08-31 at 13:02 -0400, Tom Callaway wrote: >> >> On 08/20/2017 07:50 PM, Sérgio Basto wrote: >> > Hello, >> > I reopen or start thinking again on this question of enable >> > elliptic >> > curves of openssl [1] >> > So going directly to the point, may I built all source of openssl >> > in >> > copr [2] ? or at least some other curves that fedora package don't >> > ship? >> >> The curves and functionality which are disabled in the Fedora >> packages >> of OpenSSL are done so for legal reasons. > > hum > >> The very nature of those "legal reasons" makes it difficult to be >> more >> specific, as doing so could potentially expose Red Hat to increased >> liability. I realize this is problematic, but it is the reality we >> have >> to work with. >> >> Red Hat is still liable for packages in coprs, so you cannot put a >> "all >> source build" of openssl there. >> >> However, I would ask if there is a specific curve that is not enabled >> in >> OpenSSL that you need for a specific reason, please let me know, as I >> am >> willing to look into the legal specifics around any justified cases >> to >> see what we can do. > > Yes , some people, I mean, not just me, asked to enable some curves, I > had summarize it in [1] . We ask to enable prime192v1, secp224r1 and > sect233k1 elliptic curves but the reply was: "I would view enabling EC > curves smaller than 256 bits as a security regression. So I am > wontfixing this bug. " > > So first, is legal have prime192v1, secp224r1 and sect233k1 enabled ? > > On other hand, I prefer have a blacklist of legal curves, than a white > list like we have today. I think if openssl distribute it, should be a > gray area, because if IIRC Debian enable all or at least much more (I > have to check that better ...) What Debian does with their packages does not reflect on what Fedora can do. The legal structure around the two distributions are completely different and we cannot use Debian, or any other distribution, as an example of what is possible. josh _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx
