From owner-freebsd-current@freebsd.org Tue Jul 12 12:33:22 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8AABCB92656 for ; Tue, 12 Jul 2016 12:33:22 +0000 (UTC) (envelope-from daniel@digsys.bg) Received: from smtp-sofia.digsys.bg (smtp-sofia.digsys.bg [193.68.21.123]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smtp-sofia.digsys.bg", Issuer "Digital Systems Operational CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 176471EE2 for ; Tue, 12 Jul 2016 12:33:21 +0000 (UTC) (envelope-from daniel@digsys.bg) Received: from [193.68.6.100] ([193.68.6.100]) (authenticated bits=0) by smtp-sofia.digsys.bg (8.14.9/8.14.9) with ESMTP id u6CCXFpc083258 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 12 Jul 2016 15:33:16 +0300 (EEST) (envelope-from daniel@digsys.bg) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: GOST in OPENSSL_BASE From: Daniel Kalchev In-Reply-To: Date: Tue, 12 Jul 2016 15:33:15 +0300 Cc: freebsd-current Content-Transfer-Encoding: quoted-printable Message-Id: <1A47581A-2076-4989-BDC4-5C5E52BD28B2@digsys.bg> References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> To: Franco Fichtner X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 12:33:22 -0000 > On 12.07.2016 =D0=B3., at 13:26, Franco Fichtner = wrote: >=20 >=20 >> On 12 Jul 2016, at 11:59 AM, Daniel Kalchev wrote: >>=20 >> It is trivial to play MTIM with this protocol and in fact, there are = commercially available =E2=80=9Csolutions=E2=80=9D for =E2=80=9Csecuring = one=E2=80=99s corporate network=E2=80=9D that doe exactly that. Some = believe this is with the knowledge and approval of the corporation, but = who is to say what the black box actually does and whose interests it = serves? >=20 > It's also trivial to ignore that pinning certificates and using client > certificates can actually help a great deal to prevent all of what you > just said. ;) I don=E2=80=99t know many users who even know that they can do this =E2=80= =94 much less actually using it. Pinning the browser vendor=E2=80=99s = certificates does not protect you from being spied while visiting = someone else=E2=80=99s site. This is also non-trivial to support. In the early days of DANE, Google even had a version of Chrome that = supported DANE, just to kill it a bit later: = https://www.ietf.org/mail-archive/web/dane/current/msg06980.html >=20 > The bottom line is not having GOST support readily available could = alienate > a whole lot of businesses. Not wanting those downstream use cases = will make > those shift elsewhere and the decision will be seen as an overly = political > move that in no possible way reflects the motivation of community = growth. Exactly =E2=80=94 especially as long as there is no demonstrable proof = that GOST is actually broken. Daniel=