Date: Tue, 12 Jul 2016 11:45:29 -0700 From: Kevin Oberman <rkoberman@gmail.com> To: Daniel Kalchev <daniel@digsys.bg> Cc: Franco Fichtner <franco@lastsummer.de>, freebsd-current <freebsd-current@freebsd.org> Subject: Re: GOST in OPENSSL_BASE Message-ID: <CAN6yY1t5mn_LWJdjLZ49CjObGBTAs5o=JR_ykLbd9fgSzSyhdg@mail.gmail.com> In-Reply-To: <1A47581A-2076-4989-BDC4-5C5E52BD28B2@digsys.bg> References: <20160710133019.GD20831@zxy.spb.ru> <f35c1806-c06d-0d46-1c8a-58a56adef9a7@freebsd.org> <a4f0585d-cc99-e44a-7f59-0dd23e3c969f@FreeBSD.org> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> <c0bb5ae3-fee6-d40c-86bd-988c843d757b@freebsd.org> <CAN6yY1sOrL42ssbfGUKz8%2BaY0VvKPDHPx2S0ZRNpmmgdB0V8Tg@mail.gmail.com> <a8214f32-ce90-3b97-678a-faad7c6d0b69@freebsd.org> <C2F596E2-B417-4DC2-A195-60CFAB6399F5@digsys.bg> <B97AF2B7-64FF-45D9-879E-B1D61F69BE0F@lastsummer.de> <1A47581A-2076-4989-BDC4-5C5E52BD28B2@digsys.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 12, 2016 at 5:33 AM, Daniel Kalchev <daniel@digsys.bg> wrote: > > > On 12.07.2016 =D0=B3., at 13:26, Franco Fichtner <franco@lastsummer.de> > wrote: > > > > > >> On 12 Jul 2016, at 11:59 AM, Daniel Kalchev <daniel@digsys.bg> wrote: > >> > >> It is trivial to play MTIM with this protocol and in fact, there are > commercially available =E2=80=9Csolutions=E2=80=9D for =E2=80=9Csecuring = one=E2=80=99s corporate network=E2=80=9D > that doe exactly that. Some believe this is with the knowledge and approv= al > of the corporation, but who is to say what the black box actually does an= d > whose interests it serves? > > > > It's also trivial to ignore that pinning certificates and using client > > certificates can actually help a great deal to prevent all of what you > > just said. ;) > > I don=E2=80=99t know many users who even know that they can do this =E2= =80=94 much less > actually using it. Pinning the browser vendor=E2=80=99s certificates does= not > protect you from being spied while visiting someone else=E2=80=99s site. = This is > also non-trivial to support. > In the early days of DANE, Google even had a version of Chrome that > supported DANE, just to kill it a bit later: > https://www.ietf.org/mail-archive/web/dane/current/msg06980.html > > > > > The bottom line is not having GOST support readily available could > alienate > > a whole lot of businesses. Not wanting those downstream use cases will > make > > those shift elsewhere and the decision will be seen as an overly > political > > move that in no possible way reflects the motivation of community growt= h. > > > Exactly =E2=80=94 especially as long as there is no demonstrable proof th= at GOST > is actually broken. I may have been misunderstood, possibly because I was unclear. I do not object to GOST being readily available as it is legally required in some places. I do object on its being enabled by default and I do object to standards endorsing it use, though I do not object to standards for GOST, itself. Making the method for enabling GOST simple and clearly documented is a reasonable thing and, as long as its use is mandated it is really essential= . And, thinks, Andrey, for clarifying the Russian law. I don't know the language and have depended on others for the details. In areas of tine points of laws, this is often inadequate. (As it is when you read the language fluently. I read and speak American English quite well, but that does not mean that legalese is covered.) Reality is that the law is what those charges with formal interpretation of it say it is. In the US, that is the Supreme Court. Not sure who is in Russia, but it's not me!) -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1t5mn_LWJdjLZ49CjObGBTAs5o=JR_ykLbd9fgSzSyhdg>