Getting the key for any given communication from OpenSSL is definitely doable if you're not using an engine. If you are using an engine, it may or may not be even possible.
In any case, maintaining that key once you have it is definitely out of scope of OpenSSL. As an app developer subject to that law, it is up to you to figure out a way to keep it available for compliance purposes.
I'm not part of the OpenSSL team, so I have no capacity to make a policy statement on their behalf. However, I'm pretty sure that OpenSSL is not going to alter its API or its library design to make it easier for a bolt-on AusAssAccess module to be written that directly queries the state of the library or its structures.
That said, in the past it's been bandied about that an originating software package subject to the law could encrypt the symmetric key not only to the intended recipient, but also to a hardcoded compliance key. A receiving software package subject to the law would have to modify its receipt process to store a copy of the symmetric key elsewhere when it first decrypted a message -- probably also encrypted to a hardcoded compliance key.
The downside is "what happens when that compliance key is compromised"? (or, for that matter, if the compliance key is lost.) And it will be compromised or lost, someday, some way. That's the reason so many people have been against backdoors like this -- the security of the system is good, but the security of human beings tasked with maintaining the security of the system is nowhere near as good.
-Kyle H
Rather than going down the political or policy line, perhaps it may be prudent to discuss the technical solutions to testing the engine, regardless of the OS it is running on.
How does one validate and test the engines during / after compile to ensure their ‘trust’ ?
> On 15 Dec 2018, at 10:42, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:
>
>> On Dec 14, 2018, at 5:42 PM, bmeeker51@xxxxxxxxxxxxxxxxxxx wrote:
>>
>> I simply wanted a clear statement so I can make an informed decision whether or not I should use OpenSSL in future projects. I now have my answer. Thank you.
>
> This is not the right forum for that question. The bill is too
> new for a policy response to have been considered or agreed.
>
> OpenSSL has committers from many countries. OpenSSH also
> has an Australian maintainer, have they published a policy?
>
> I am sure there are Australian contributors to Linux, NetBSD,
> FreeBSD, OpenBSD, Android, ...
>
> Avoiding all taint from anything touched by Australia will not
> be easy.
>
> --
> Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Rather than going down the political or policy line, perhaps it may be prudent to discuss the technical solutions to testing the engine, regardless of the OS it is running on.
How does one validate and test the engines during / after compile to ensure their ‘trust’ ?
> On 15 Dec 2018, at 10:42, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:
>
>> On Dec 14, 2018, at 5:42 PM, bmeeker51@xxxxxxxxxxxxxxxxxxx wrote:
>>
>> I simply wanted a clear statement so I can make an informed decision whether or not I should use OpenSSL in future projects. I now have my answer. Thank you.
>
> This is not the right forum for that question. The bill is too
> new for a policy response to have been considered or agreed.
>
> OpenSSL has committers from many countries. OpenSSH also
> has an Australian maintainer, have they published a policy?
>
> I am sure there are Australian contributors to Linux, NetBSD,
> FreeBSD, OpenBSD, Android, ...
>
> Avoiding all taint from anything touched by Australia will not
> be easy.
>
> --
> Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
