Fedora, DNSSEC and GOST (ECC like) algorithms with openssl

Paul Wouters paul at xelerance.com
Mon Jun 21 15:07:05 UTC 2010

On Mon, 21 Jun 2010, Tomas Mraz wrote:

> Looking at it more closely actually for the DNSSEC GOST R 34.10-2001 it
> will not be possible to include it as it is elliptic curve based and all
> the ECC code is removed from our Openssl source and build. I do not know
> much about the ECC except it is a patent minefield and I will not go
> into details of the used algorithms and existing patents to examine
> whether this particular implementation is affected or not. This would
> have to be explicitly approved by Fedora Legal.

There are no IPR disclosures on any of the GOST algorithms filed with
the IETF, which is a strong signal that none of the patent holders of
ECC related patents has any objection. But I understand this could be
a matter for Fedora Legal. I could try and liason between Fedora Legal
and IETF IPR WG in gathering information that might convince Fedora Legal
all the due diligence is in place.

> So I suppose somehow making the rest of the GOST algorithms compile
> (which would require patching the source) would not help much in regards
> to the DNSSEC support.

This will become a serious issue once .ru starts deploying GOST based
signatures in their TLD zone.

I would be great if we could change the spec file to have a proper flag
to enable/disable GOST/ECC so that people can easilly rebuild with GOST
support if they need to (and it is legal for them). Would that be
legally possible?

Some references showing there should not be any known IPR issues filed
with the IETF that would prevent implementing RFC standards using ECC:


All GOST / ECC IPR disclosures to IETF as per search on:


The latter IPR notes show that Certicom has given everyone the right to use ECC for
IETF specifications for DNSSEC, IPsec, IKE, IKEv2 and TLS.


More information about the devel mailing list