Hi folks at Fedora legal team, please give us a comment regarding missing ec and ecparam commands in openssl package in this bug: https://bugzilla.redhat.com/show_bug.cgi?id=319901
Cheers, Valent.
On 04/06/12 09:29, valent.turkovic@gmail.com wrote:
Hi folks at Fedora legal team, please give us a comment regarding missing ec and ecparam commands in openssl package in this bug: https://bugzilla.redhat.com/show_bug.cgi?id=319901
Cheers, Valent. _______________________________________________ legal mailing list legal@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/legal
Valent,
this was answered 3 months ago. To reiterate I will post Tom's response.
Fedora is legally part of Red Hat, and Red Hat has certain legal obligations it is required to adhere to, based on the fact that it is a US Company.
Elliptic Curve Cryptography is currently being reviewed. At this point in time, it must not be included or enabled in Fedora.
~tom
Regards,
Tristan
On Mon Jun 4, Tristan Santore wrote:
this was answered 3 months ago. To reiterate I will post Tom's response.
Fedora is legally part of Red Hat, and Red Hat has certain legal obligations it is required to adhere to, based on the fact that it is a US Company.
Elliptic Curve Cryptography is currently being reviewed. At this point in time, it must not be included or enabled in Fedora.
Has there been any progress on that since then? This is also blocking the inclusion of GnuTLS v3; we're currently shipping 2.12 which is a year out of date and lacking some important features and fixes.
The GnuTLS maintainer has clarified¹ that he has *only* used parts of EC which are documented in RFC6090 — a document which was produced *specifically* to cover the unpatented parts of Elliptic Curve cryptography, and which has no normative references dated later than 1994. It even eschews the definitions of MAY/SHOULD/MUST etc. from RFC2119 and provides its own, because RFC2119 was published later than 1994 ☺
For GnuTLS at least, the approval should be fairly much a no-brainer.
On 09/07/12 10:52, David Woodhouse wrote:
On Mon Jun 4, Tristan Santore wrote:
this was answered 3 months ago. To reiterate I will post Tom's response.
Fedora is legally part of Red Hat, and Red Hat has certain legal obligations it is required to adhere to, based on the fact that it is a US Company.
Elliptic Curve Cryptography is currently being reviewed. At this point in time, it must not be included or enabled in Fedora.
Has there been any progress on that since then? This is also blocking the inclusion of GnuTLS v3; we're currently shipping 2.12 which is a year out of date and lacking some important features and fixes.
The GnuTLS maintainer has clarified¹ that he has *only* used parts of EC which are documented in RFC6090 — a document which was produced *specifically* to cover the unpatented parts of Elliptic Curve cryptography, and which has no normative references dated later than 1994. It even eschews the definitions of MAY/SHOULD/MUST etc. from RFC2119 and provides its own, because RFC2119 was published later than 1994 ☺
For GnuTLS at least, the approval should be fairly much a no-brainer.
legal mailing list legal@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/legal
Tom,Richard,
could somebody please look at this one and expedite the response to this. There are a few valid points there and this seems rather urgent, considering out-datedness and the bug fixes found in updated versions.
In particular section 9 in RFC 6090 (page.20). http://tools.ietf.org/html/rfc6090#page-20
Quote: "Concerns about intellectual property have slowed the adoption of ECC because a number of optimizations and specialized algorithms have been patented in recent years.
All of the normative references for ECDH (as defined in Section 4) were published during or before 1989, and those for KT-I were published during or before May 1994. All of the normative text for these algorithms is based solely on their respective references."
Somebody will have to look at this closer to figure out, if the 17 year or the 20 year expiration period applies.
Thank you.
Regards, Tristan
On Mon, 2012-07-09 at 07:33 -0400, Tom Callaway wrote:
On 07/09/2012 05:52 AM, David Woodhouse wrote:
Has there been any progress on that since then?
This issue is still under review. Unfortunately, that's about all I can say about this right now.
Thanks, anyway, for the update.