Hello, I reopen or start thinking again on this question of enable elliptic curves of openssl [1] So going directly to the point, may I built all source of openssl in copr [2] ? or at least some other curves that fedora package don't ship?
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1405843
[2] Version: 1.0.2k %global fips_version 2.0.14 I mean sources: http://ftp.o penssl.org/source/openssl-%{version}.tar.gz and http://ftp.openssl.org/s ource/openssl-fips-%{fips_version}.tar.gz
Thanks ,
I'm on vacation until Tuesday, but the short answer is no.
If you want the longer answer, lemme know, and I'll reply later this week.
~tom
On Aug 20, 2017 7:50 PM, "Sérgio Basto" sergio@serjux.com wrote:
Hello, I reopen or start thinking again on this question of enable elliptic curves of openssl [1] So going directly to the point, may I built all source of openssl in copr [2] ? or at least some other curves that fedora package don't ship?
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1405843
[2] Version: 1.0.2k %global fips_version 2.0.14 I mean sources: http://ftp.o penssl.org/source/openssl-%{version}.tar.gz and http://ftp.openssl.org/s ource/openssl-fips-%{fips_version}.tar.gz
Thanks ,
Sérgio M. B. _______________________________________________ legal mailing list -- legal@lists.fedoraproject.org To unsubscribe send an email to legal-leave@lists.fedoraproject.org
On 08/20/2017 07:50 PM, Sérgio Basto wrote:
Hello, I reopen or start thinking again on this question of enable elliptic curves of openssl [1] So going directly to the point, may I built all source of openssl in copr [2] ? or at least some other curves that fedora package don't ship?
The curves and functionality which are disabled in the Fedora packages of OpenSSL are done so for legal reasons.
The very nature of those "legal reasons" makes it difficult to be more specific, as doing so could potentially expose Red Hat to increased liability. I realize this is problematic, but it is the reality we have to work with.
Red Hat is still liable for packages in coprs, so you cannot put a "all source build" of openssl there.
However, I would ask if there is a specific curve that is not enabled in OpenSSL that you need for a specific reason, please let me know, as I am willing to look into the legal specifics around any justified cases to see what we can do.
~tom
On Thu, 2017-08-31 at 13:02 -0400, Tom Callaway wrote:
On 08/20/2017 07:50 PM, Sérgio Basto wrote:
Hello, I reopen or start thinking again on this question of enable elliptic curves of openssl [1] So going directly to the point, may I built all source of openssl in copr [2] ? or at least some other curves that fedora package don't ship?
The curves and functionality which are disabled in the Fedora packages of OpenSSL are done so for legal reasons.
hum
The very nature of those "legal reasons" makes it difficult to be more specific, as doing so could potentially expose Red Hat to increased liability. I realize this is problematic, but it is the reality we have to work with.
Red Hat is still liable for packages in coprs, so you cannot put a "all source build" of openssl there.
However, I would ask if there is a specific curve that is not enabled in OpenSSL that you need for a specific reason, please let me know, as I am willing to look into the legal specifics around any justified cases to see what we can do.
Yes , some people, I mean, not just me, asked to enable some curves, I had summarize it in [1] . We ask to enable prime192v1, secp224r1 and sect233k1 elliptic curves but the reply was: "I would view enabling EC curves smaller than 256 bits as a security regression. So I am wontfixing this bug. "
So first, is legal have prime192v1, secp224r1 and sect233k1 enabled ?
On other hand, I prefer have a blacklist of legal curves, than a white list like we have today. I think if openssl distribute it, should be a gray area, because if IIRC Debian enable all or at least much more (I have to check that better ...)
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1405843#c5
~tom
On Thu, Aug 31, 2017 at 1:44 PM, Sérgio Basto sergio@serjux.com wrote:
On Thu, 2017-08-31 at 13:02 -0400, Tom Callaway wrote:
On 08/20/2017 07:50 PM, Sérgio Basto wrote:
Hello, I reopen or start thinking again on this question of enable elliptic curves of openssl [1] So going directly to the point, may I built all source of openssl in copr [2] ? or at least some other curves that fedora package don't ship?
The curves and functionality which are disabled in the Fedora packages of OpenSSL are done so for legal reasons.
hum
The very nature of those "legal reasons" makes it difficult to be more specific, as doing so could potentially expose Red Hat to increased liability. I realize this is problematic, but it is the reality we have to work with.
Red Hat is still liable for packages in coprs, so you cannot put a "all source build" of openssl there.
However, I would ask if there is a specific curve that is not enabled in OpenSSL that you need for a specific reason, please let me know, as I am willing to look into the legal specifics around any justified cases to see what we can do.
Yes , some people, I mean, not just me, asked to enable some curves, I had summarize it in [1] . We ask to enable prime192v1, secp224r1 and sect233k1 elliptic curves but the reply was: "I would view enabling EC curves smaller than 256 bits as a security regression. So I am wontfixing this bug. "
So first, is legal have prime192v1, secp224r1 and sect233k1 enabled ?
On other hand, I prefer have a blacklist of legal curves, than a white list like we have today. I think if openssl distribute it, should be a gray area, because if IIRC Debian enable all or at least much more (I have to check that better ...)
What Debian does with their packages does not reflect on what Fedora can do. The legal structure around the two distributions are completely different and we cannot use Debian, or any other distribution, as an example of what is possible.
josh
-
Josh Boyer -
Sérgio Basto -
Tom Callaway