Fedora, DNSSEC and GOST (ECC like) algorithms with openssl
tmraz at redhat.com
Mon Jun 21 15:25:19 UTC 2010
On Mon, 2010-06-21 at 11:07 -0400, Paul Wouters wrote:
> On Mon, 21 Jun 2010, Tomas Mraz wrote:
> > Looking at it more closely actually for the DNSSEC GOST R 34.10-2001 it
> > will not be possible to include it as it is elliptic curve based and all
> > the ECC code is removed from our Openssl source and build. I do not know
> > much about the ECC except it is a patent minefield and I will not go
> > into details of the used algorithms and existing patents to examine
> > whether this particular implementation is affected or not. This would
> > have to be explicitly approved by Fedora Legal.
> There are no IPR disclosures on any of the GOST algorithms filed with
> the IETF, which is a strong signal that none of the patent holders of
> ECC related patents has any objection. But I understand this could be
> a matter for Fedora Legal. I could try and liason between Fedora Legal
> and IETF IPR WG in gathering information that might convince Fedora Legal
> all the due diligence is in place.
> > So I suppose somehow making the rest of the GOST algorithms compile
> > (which would require patching the source) would not help much in regards
> > to the DNSSEC support.
> This will become a serious issue once .ru starts deploying GOST based
> signatures in their TLD zone.
> I would be great if we could change the spec file to have a proper flag
> to enable/disable GOST/ECC so that people can easilly rebuild with GOST
> support if they need to (and it is legal for them). Would that be
> legally possible?
This is not possible as the ECC algorithm sources are removed from the
source tarball prior to adding it to the Fedora CVS.
> Some references showing there should not be any known IPR issues filed
> with the IETF that would prevent implementing RFC standards using ECC:
> All GOST / ECC IPR disclosures to IETF as per search on:
> The latter IPR notes show that Certicom has given everyone the right to use ECC for
> IETF specifications for DNSSEC, IPsec, IKE, IKEv2 and TLS.
This however does not give any guarantee of no patent litigation when it
is included as a general purpose algorithm in Fedora I am afraid. But of
Perhaps it would be possible to modify the source of ECC algorithms to
include just the smallest possible sources needed just for the GOST R
34.10-2001 and make the calls to the general purpose algorithms needed
for the implementation of the GOST signature algorithm not exported from
the library. However this would be a fair amount of work and the
resulting patch will not by trivial in any means. And moreover the patch
would not guarantee that we would be shielded from the legal point of
No matter how far down the wrong road you've gone, turn back.
More information about the devel