On Fri, Aug 09, 2019 at 11:32:25AM +0200, François Kooman wrote: > On 09.08.19 10:12, Petr Pisar wrote: > > You can build a one-purpose application around e.g. OpenSSL. No need > > for introducing yet another cryptographical library. > > Sure, someone could. Probably. However, one would need to upgrade > OpenSSL in CentOS/RHEL to get modern algorithm support, i.e. Ed25519. > An algorithm that will be obsoleted by another modern algorithm in ten years. No this is not how cryptographical tools should be designed. The tool and the singature format must be agnostic to a concrete algorithm. > $ openssl genpkey -algorithm Ed25519 -out ed25519key.pem > Algorithm Ed25519 not found > This is an invalid argument. You can always found an arbitrarily old distribution that does not support a feature of your choice. And I though we are talking about Fedora. And even so it's not true. OpenSSL in RHEL 8 supports Ed25519. > It seems the only thing OpenSSL should be used for is TLS [1]. > Everything else crypto should avoid it... > > [1] https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html There is no explanation why. Only a "don’t use a low-level crypto library like OpenSSL or BouncyCastle" statement. Do you have any explanation? Moreover, I cannot see how TLS is relevant to a code signing. -- Petr
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx
