3:29 a.m.
Hi folks at Fedora legal team,
please give us a comment regarding missing ec and ecparam commands in
openssl package in this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=319901
Cheers,
Valent.
11:11 a.m.
On 04/06/12 09:29, valent.turkovic(a)gmail.com wrote:
Hi folks at Fedora legal team,
please give us a comment regarding missing ec and ecparam commands in
openssl package in this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=319901
Cheers,
Valent.
_______________________________________________
legal mailing list
legal(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/legal
Valent,
this was answered 3 months ago.
To reiterate I will post Tom's response.
Fedora is legally part of Red Hat, and Red Hat has certain legal
obligations it is required to adhere to, based on the fact that it is a
US Company.
Elliptic Curve Cryptography is currently being reviewed. At this point
in time, it must not be included or enabled in Fedora.
~tom
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore(a)internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore(a)fedoraproject.org
4:52 a.m.
On Mon Jun 4, Tristan Santore wrote:
this was answered 3 months ago.
To reiterate I will post Tom's response.
> Fedora is legally part of Red Hat, and Red Hat has certain legal
> obligations it is required to adhere to, based on the fact that it is a
> US Company.
>
> Elliptic Curve Cryptography is currently being reviewed. At this point
> in time, it must not be included or enabled in Fedora.
Has there been any progress on that since then? This is also blocking
the inclusion of GnuTLS v3; we're currently shipping 2.12 which is a
year out of date and lacking some important features and fixes.
The GnuTLS maintainer has clarified¹ that he has *only* used parts of EC
which are documented in RFC6090 — a document which was produced
*specifically* to cover the unpatented parts of Elliptic Curve
cryptography, and which has no normative references dated later than
1994. It even eschews the definitions of MAY/SHOULD/MUST etc. from
RFC2119 and provides its own, because RFC2119 was published later than
1994 ☺
For GnuTLS at least, the approval should be fairly much a no-brainer.
--
dwmw2
¹ https://bugzilla.redhat.com/show_bug.cgi?id=726886#c26
5:10 a.m.
On 09/07/12 10:52, David Woodhouse wrote:
On Mon Jun 4, Tristan Santore wrote:
> this was answered 3 months ago.
> To reiterate I will post Tom's response.
>
>> Fedora is legally part of Red Hat, and Red Hat has certain legal
>> obligations it is required to adhere to, based on the fact that it is a
>> US Company.
>>
>> Elliptic Curve Cryptography is currently being reviewed. At this point
>> in time, it must not be included or enabled in Fedora.
Has there been any progress on that since then? This is also blocking
the inclusion of GnuTLS v3; we're currently shipping 2.12 which is a
year out of date and lacking some important features and fixes.
The GnuTLS maintainer has clarified¹ that he has *only* used parts of EC
which are documented in RFC6090 — a document which was produced
*specifically* to cover the unpatented parts of Elliptic Curve
cryptography, and which has no normative references dated later than
1994. It even eschews the definitions of MAY/SHOULD/MUST etc. from
RFC2119 and provides its own, because RFC2119 was published later than
1994 ☺
For GnuTLS at least, the approval should be fairly much a no-brainer.
_______________________________________________
legal mailing list
legal(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/legal
Tom,Richard,
could somebody please look at this one and expedite the response to
this. There are a few valid points there and this seems rather urgent,
considering out-datedness and the bug fixes found in updated versions.
In particular section 9 in RFC 6090 (page.20).
http://tools.ietf.org/html/rfc6090#page-20
Quote: "Concerns about intellectual property have slowed the adoption of
ECC because a number of optimizations and specialized algorithms have
been patented in recent years.
All of the normative references for ECDH (as defined in Section 4)
were published during or before 1989, and those for KT-I were
published during or before May 1994. All of the normative text for
these algorithms is based solely on their respective references."
Somebody will have to look at this closer to figure out, if the 17 year
or the 20 year expiration period applies.
Thank you.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore(a)internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore(a)fedoraproject.org
9:32 a.m.
On Mon, 2012-07-09 at 07:33 -0400, Tom Callaway wrote:
On 07/09/2012 05:52 AM, David Woodhouse wrote:
> Has there been any progress on that since then?
This issue is still under review. Unfortunately, that's about all I can
say about this right now.
Thanks, anyway, for the update.
--
dwmw2
4292
days inactive
4337
days old
5 comments
4 participants
participants (4)
-
David Woodhouse -
Tom Callaway -
Tristan Santore -
Valent Turkovic