Re: about openssl we may enable and build all elliptic curves on corp ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Aug 31, 2017 at 1:44 PM, Sérgio Basto <sergio@xxxxxxxxxx> wrote:
> On Thu, 2017-08-31 at 13:02 -0400, Tom Callaway wrote:
>>
>> On 08/20/2017 07:50 PM, Sérgio Basto wrote:
>> > Hello,
>> > I reopen or start thinking again on this question of enable
>> > elliptic
>> > curves of openssl  [1]
>> > So going directly to the point, may I built all source of openssl
>> > in
>> > copr [2] ? or at least some other curves that fedora package don't
>> > ship?
>>
>> The curves and functionality which are disabled in the Fedora
>> packages
>> of OpenSSL are done so for legal reasons.
>
> hum
>
>> The very nature of those "legal reasons" makes it difficult to be
>> more
>> specific, as doing so could potentially expose Red Hat to increased
>> liability. I realize this is problematic, but it is the reality we
>> have
>> to work with.
>>
>> Red Hat is still liable for packages in coprs, so you cannot put a
>> "all
>> source build" of openssl there.
>>
>> However, I would ask if there is a specific curve that is not enabled
>> in
>> OpenSSL that you need for a specific reason, please let me know, as I
>> am
>> willing to look into the legal specifics around any justified cases
>> to
>> see what we can do.
>
> Yes , some people, I mean, not just me, asked to enable some curves, I
> had summarize it in [1] .  We ask to enable prime192v1, secp224r1 and
> sect233k1 elliptic curves but the reply was: "I would view enabling EC
> curves smaller than 256 bits as a security regression. So I am
> wontfixing this bug. "
>
> So first, is legal have prime192v1, secp224r1 and sect233k1 enabled ?
>
> On other hand, I prefer have a blacklist of legal curves, than a white
> list like we have today. I think if openssl distribute it, should be a
> gray area, because if IIRC Debian enable all or at least much more (I
> have to check that better ...)

What Debian does with their packages does not reflect on what Fedora
can do.  The legal structure around the two distributions are
completely different and we cannot use Debian, or any other
distribution, as an example of what is possible.

josh
_______________________________________________
legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Gnome Users]     [KDE Users]

  Powered by Linux