[Fedora-legal-list] missing ec and ecparam commands in openssl package
Tristan Santore
tristan.santore at internexusconnect.net
Mon Jul 9 10:10:29 UTC 2012
On 09/07/12 10:52, David Woodhouse wrote:
> On Mon Jun 4, Tristan Santore wrote:
>> this was answered 3 months ago.
>> To reiterate I will post Tom's response.
>>
>>> Fedora is legally part of Red Hat, and Red Hat has certain legal
>>> obligations it is required to adhere to, based on the fact that it is a
>>> US Company.
>>>
>>> Elliptic Curve Cryptography is currently being reviewed. At this point
>>> in time, it must not be included or enabled in Fedora.
>
> Has there been any progress on that since then? This is also blocking
> the inclusion of GnuTLS v3; we're currently shipping 2.12 which is a
> year out of date and lacking some important features and fixes.
>
> The GnuTLS maintainer has clarified¹ that he has *only* used parts of EC
> which are documented in RFC6090 — a document which was produced
> *specifically* to cover the unpatented parts of Elliptic Curve
> cryptography, and which has no normative references dated later than
> 1994. It even eschews the definitions of MAY/SHOULD/MUST etc. from
> RFC2119 and provides its own, because RFC2119 was published later than
> 1994 ☺
>
> For GnuTLS at least, the approval should be fairly much a no-brainer.
>
>
>
>
> _______________________________________________
> legal mailing list
> legal at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/legal
Tom,Richard,
could somebody please look at this one and expedite the response to
this. There are a few valid points there and this seems rather urgent,
considering out-datedness and the bug fixes found in updated versions.
In particular section 9 in RFC 6090 (page.20).
http://tools.ietf.org/html/rfc6090#page-20
Quote: "Concerns about intellectual property have slowed the adoption of
ECC because a number of optimizations and specialized algorithms have
been patented in recent years.
All of the normative references for ECDH (as defined in Section 4)
were published during or before 1989, and those for KT-I were
published during or before May 1994. All of the normative text for
these algorithms is based solely on their respective references."
Somebody will have to look at this closer to figure out, if the 17 year
or the 20 year expiration period applies.
Thank you.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore at fedoraproject.org
More information about the legal
mailing list