FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 06-21-2010, 03:25 PM
Tomas Mraz
 
Default Fedora, DNSSEC and GOST (ECC like) algorithms with openssl

On Mon, 2010-06-21 at 11:07 -0400, Paul Wouters wrote:
> On Mon, 21 Jun 2010, Tomas Mraz wrote:
>
> > Looking at it more closely actually for the DNSSEC GOST R 34.10-2001 it
> > will not be possible to include it as it is elliptic curve based and all
> > the ECC code is removed from our Openssl source and build. I do not know
> > much about the ECC except it is a patent minefield and I will not go
> > into details of the used algorithms and existing patents to examine
> > whether this particular implementation is affected or not. This would
> > have to be explicitly approved by Fedora Legal.
>
> There are no IPR disclosures on any of the GOST algorithms filed with
> the IETF, which is a strong signal that none of the patent holders of
> ECC related patents has any objection. But I understand this could be
> a matter for Fedora Legal. I could try and liason between Fedora Legal
> and IETF IPR WG in gathering information that might convince Fedora Legal
> all the due diligence is in place.
>
> > So I suppose somehow making the rest of the GOST algorithms compile
> > (which would require patching the source) would not help much in regards
> > to the DNSSEC support.
>
> This will become a serious issue once .ru starts deploying GOST based
> signatures in their TLD zone.
>
> I would be great if we could change the spec file to have a proper flag
> to enable/disable GOST/ECC so that people can easilly rebuild with GOST
> support if they need to (and it is legal for them). Would that be
> legally possible?
This is not possible as the ECC algorithm sources are removed from the
source tarball prior to adding it to the Fedora CVS.

> Some references showing there should not be any known IPR issues filed
> with the IETF that would prevent implementing RFC standards using ECC:
>
> https://datatracker.ietf.org/iesg/ann/3304/
> http://www.rfc-editor.org/info/rfc4357
> http://www.rfc-editor.org/info/rfc4490
> http://www.rfc-editor.org/info/rfc4491
> http://www.rfc-editor.org/info/rfc5830
> http://www.rfc-editor.org/info/rfc5831
>
> All GOST / ECC IPR disclosures to IETF as per search on:
> https://datatracker.ietf.org/ipr/search/?option=ipr_title_search&ipr_title_search=ECC
> https://datatracker.ietf.org/ipr/search/?option=ipr_title_search&ipr_title_search=GOST
>
> https://datatracker.ietf.org/ipr/695/
> https://datatracker.ietf.org/ipr/151/
> https://datatracker.ietf.org/ipr/1094/
>
> The latter IPR notes show that Certicom has given everyone the right to use ECC for
> IETF specifications for DNSSEC, IPsec, IKE, IKEv2 and TLS.

This however does not give any guarantee of no patent litigation when it
is included as a general purpose algorithm in Fedora I am afraid. But of
course IANAL.

Perhaps it would be possible to modify the source of ECC algorithms to
include just the smallest possible sources needed just for the GOST R
34.10-2001 and make the calls to the general purpose algorithms needed
for the implementation of the GOST signature algorithm not exported from
the library. However this would be a fair amount of work and the
resulting patch will not by trivial in any means. And moreover the patch
would not guarantee that we would be shielded from the legal point of
view.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 06-21-2010, 04:05 PM
Paul Wouters
 
Default Fedora, DNSSEC and GOST (ECC like) algorithms with openssl

On Mon, 21 Jun 2010, Tomas Mraz wrote:

>> I would be great if we could change the spec file to have a proper flag
>> to enable/disable GOST/ECC so that people can easilly rebuild with GOST
>> support if they need to (and it is legal for them). Would that be
>> legally possible?
> This is not possible as the ECC algorithm sources are removed from the
> source tarball prior to adding it to the Fedora CVS.

Would it still be possible to have the define with a comment to grab the
source outside the CVS repo? I am just trying to minimise the work that
has to be done and maintained separately from the Fedora openssl.spec file.

Paul
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 06-21-2010, 06:48 PM
Bruno Wolff III
 
Default Fedora, DNSSEC and GOST (ECC like) algorithms with openssl

On Mon, Jun 21, 2010 at 11:07:05 -0400,
Paul Wouters <paul@xelerance.com> wrote:
>
> Some references showing there should not be any known IPR issues filed
> with the IETF that would prevent implementing RFC standards using ECC:

DJB has made some public comments on why he doesn't think any patents apply
to ECC work he has published at:
http://cr.yp.to/ecdh/patents.html

He isn't a lawyer, but his comments may still be useful.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 06-24-2010, 03:18 PM
"Tom "spot" Callaway"
 
Default Fedora, DNSSEC and GOST (ECC like) algorithms with openssl

On 06/21/2010 12:05 PM, Paul Wouters wrote:
> On Mon, 21 Jun 2010, Tomas Mraz wrote:
>
>>> I would be great if we could change the spec file to have a proper flag
>>> to enable/disable GOST/ECC so that people can easilly rebuild with GOST
>>> support if they need to (and it is legal for them). Would that be
>>> legally possible?
>> This is not possible as the ECC algorithm sources are removed from the
>> source tarball prior to adding it to the Fedora CVS.
>
> Would it still be possible to have the define with a comment to grab the
> source outside the CVS repo? I am just trying to minimise the work that
> has to be done and maintained separately from the Fedora openssl.spec file.

No, sorry.

~spot
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 06-24-2010, 03:54 PM
Paul Wouters
 
Default Fedora, DNSSEC and GOST (ECC like) algorithms with openssl

On Thu, 24 Jun 2010, Tom "spot" Callaway wrote:

>>> This is not possible as the ECC algorithm sources are removed from the
>>> source tarball prior to adding it to the Fedora CVS.
>>
>> Would it still be possible to have the define with a comment to grab the
>> source outside the CVS repo? I am just trying to minimise the work that
>> has to be done and maintained separately from the Fedora openssl.spec file.
>
> No, sorry.

Ok, thanks for letting me know. I'll see about adding an openssl-gost to
rpmfusion.

Paul
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 06-24-2010, 03:58 PM
Dmitry Butskoy
 
Default Fedora, DNSSEC and GOST (ECC like) algorithms with openssl

Tom "spot" Callaway wrote:
> On 06/21/2010 12:05 PM, Paul Wouters wrote:
>
>> On Mon, 21 Jun 2010, Tomas Mraz wrote:
>>
>>
>>>> I would be great if we could change the spec file to have a proper flag
>>>> to enable/disable GOST/ECC so that people can easilly rebuild with GOST
>>>> support if they need to (and it is legal for them). Would that be
>>>> legally possible?
>>>>
>>> This is not possible as the ECC algorithm sources are removed from the
>>> source tarball prior to adding it to the Fedora CVS.
>>>
>> Would it still be possible to have the define with a comment to grab the
>> source outside the CVS repo? I am just trying to minimise the work that
>> has to be done and maintained separately from the Fedora openssl.spec file.
>>
>
> No, sorry.
>

AFAIK the GOST engine in openssl-1.0 can be compiled as a shared object.
IOW, we could create openssl-freeworld in rpmfusion etc...

Besides that, the applications should call now some openssl's init
routine before the use of ssl, else such an extra engine will not be
determined by the ssl library at runtime (see
http://www.cryptocom.ru/OpenSource/OpenSSL_eng.html for more info about
application patches required for "external GOST engine" + openssl-1.0.0).


Regards,
Dmitry Butskoy
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 11:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org