On Thu, 2017-08-31 at 18:44 +0100, Sérgio Basto wrote: > On Thu, 2017-08-31 at 13:02 -0400, Tom Callaway wrote: > > > > On 08/20/2017 07:50 PM, Sérgio Basto wrote: > > > Hello, > > > I reopen or start thinking again on this question of enable > > > elliptic > > > curves of openssl [1] > > > So going directly to the point, may I built all source of openssl > > > in > > > copr [2] ? or at least some other curves that fedora package > > > don't > > > ship? > > > > The curves and functionality which are disabled in the Fedora > > packages > > of OpenSSL are done so for legal reasons. > > hum > > > The very nature of those "legal reasons" makes it difficult to be > > more > > specific, as doing so could potentially expose Red Hat to increased > > liability. I realize this is problematic, but it is the reality we > > have > > to work with. > > > > Red Hat is still liable for packages in coprs, so you cannot put a > > "all > > source build" of openssl there. > > > > However, I would ask if there is a specific curve that is not > > enabled > > in > > OpenSSL that you need for a specific reason, please let me know, as > > I > > am > > willing to look into the legal specifics around any justified cases > > to > > see what we can do. > > Yes , some people, I mean, not just me, asked to enable some curves, > I > had summarize it in [1] . We ask to enable prime192v1, secp224r1 and > sect233k1 elliptic curves but the reply was: "I would view enabling > EC > curves smaller than 256 bits as a security regression. So I am > wontfixing this bug. " > > So first, is legal have prime192v1, secp224r1 and sect233k1 enabled ? > > On other hand, I prefer have a blacklist of legal curves, than a > white > list like we have today. I think if openssl distribute it, should be > a > gray area, because if IIRC Debian enable all or at least much more (I > have to check that better ...) > > > [1] > https://bugzilla.redhat.com/show_bug.cgi?id=1405843#c5 Hello, and five years later ... we got several requests to enable it, at least [1] we are observed that patent for elliptic curves set to be expired in 2020, https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/hobble-openssl#_10 not just elliptic curves but all . So first, we need clarify that is no legal problem on enable it and therefore we can built it on copr. After we need the packager maintainer agrees on enable it and that is what seems to be the biggest difficulty (I would view enabling EC curves smaller than 256 bits as a security regression. So I am wontfixing this bug). [2] I'm sending this email to second the "request to stop hobbling crypto libraries" and avoid the need of a opensssl-freeworld package "if Red Hat and Fedora legal agree we don't need to strip algos anymore" Thank you. [1] [Fedora-legal-list] Is ECDSA secp256k1 elliptic curve permitted to be packaged in Fedora? [Fedora-legal-list] Brainpool Curves in Fedora (openssl, libgcrypt, gnupg) [Fedora-legal-list] Permissibility of P-434 based elliptic curve in Fedora [Fedora-legal-list] Request to stop hobbling crypto libraries [2] https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/0011-Remove-EC-curves.patch https://bugzilla.redhat.com/show_bug.cgi?id=1067697#c3 -- Sérgio M. B. _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
