Date: Tue, 12 Jul 2016 15:33:15 +0300 From: Daniel Kalchev <daniel@digsys.bg> To: Franco Fichtner <franco@lastsummer.de> Cc: freebsd-current <freebsd-current@freebsd.org> Subject: Re: GOST in OPENSSL_BASE Message-ID: <1A47581A-2076-4989-BDC4-5C5E52BD28B2@digsys.bg> In-Reply-To: <B97AF2B7-64FF-45D9-879E-B1D61F69BE0F@lastsummer.de> References: <20160710133019.GD20831@zxy.spb.ru> <f35c1806-c06d-0d46-1c8a-58a56adef9a7@freebsd.org> <a4f0585d-cc99-e44a-7f59-0dd23e3c969f@FreeBSD.org> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> <c0bb5ae3-fee6-d40c-86bd-988c843d757b@freebsd.org> <CAN6yY1sOrL42ssbfGUKz8%2BaY0VvKPDHPx2S0ZRNpmmgdB0V8Tg@mail.gmail.com> <a8214f32-ce90-3b97-678a-faad7c6d0b69@freebsd.org> <C2F596E2-B417-4DC2-A195-60CFAB6399F5@digsys.bg> <B97AF2B7-64FF-45D9-879E-B1D61F69BE0F@lastsummer.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 12.07.2016 =D0=B3., at 13:26, Franco Fichtner = <franco@lastsummer.de> wrote: >=20 >=20 >> On 12 Jul 2016, at 11:59 AM, Daniel Kalchev <daniel@digsys.bg> wrote: >>=20 >> It is trivial to play MTIM with this protocol and in fact, there are = commercially available =E2=80=9Csolutions=E2=80=9D for =E2=80=9Csecuring = one=E2=80=99s corporate network=E2=80=9D that doe exactly that. Some = believe this is with the knowledge and approval of the corporation, but = who is to say what the black box actually does and whose interests it = serves? >=20 > It's also trivial to ignore that pinning certificates and using client > certificates can actually help a great deal to prevent all of what you > just said. ;) I don=E2=80=99t know many users who even know that they can do this =E2=80= =94 much less actually using it. Pinning the browser vendor=E2=80=99s = certificates does not protect you from being spied while visiting = someone else=E2=80=99s site. This is also non-trivial to support. In the early days of DANE, Google even had a version of Chrome that = supported DANE, just to kill it a bit later: = https://www.ietf.org/mail-archive/web/dane/current/msg06980.html >=20 > The bottom line is not having GOST support readily available could = alienate > a whole lot of businesses. Not wanting those downstream use cases = will make > those shift elsewhere and the decision will be seen as an overly = political > move that in no possible way reflects the motivation of community = growth. Exactly =E2=80=94 especially as long as there is no demonstrable proof = that GOST is actually broken. Daniel=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1A47581A-2076-4989-BDC4-5C5E52BD28B2>