From owner-freebsd-current@freebsd.org Tue Jul 12 18:45:31 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1B693B926AB for ; Tue, 12 Jul 2016 18:45:31 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D32C819BE for ; Tue, 12 Jul 2016 18:45:30 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mail-io0-x22d.google.com with SMTP id q83so25115901iod.1 for ; Tue, 12 Jul 2016 11:45:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=MoXkwGt46GJ49Hl8evAYg1tIwHPTQV/DQ5YJJ3KAffI=; b=a+ptRYI8nXJXq3EHsR0DufHXYLqQQJELfqNgSFK9qT1UdQKosKaG3JR6bsBkVxy87o 82FJSj7tB7+cJf+6MMRFHY2B0qkrfbzJMNEMmGLa4WJ7Dt8FBuu4c2vuf49m7LDy+Trh Ys1wdwP/8nNj5uAVm1V6l3YfMrKSgwO5TUk6BKdbzOkx6Sk5a1NVjPgSpcJoIjDG0GTh fR+OHUldm2z+3NRhx6O2nleO3z17S64cTwVGI6v0/BG5x3kmyT/ojnuR9bLg5VagfSU1 Gt7ojQ2KatXkovTGDEHFlUwCUkTPsiXANwXt/HWJScdsj6g14LmdiFjokM/bw6UGgA91 yZMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=MoXkwGt46GJ49Hl8evAYg1tIwHPTQV/DQ5YJJ3KAffI=; b=Auhlsg7LxRVpApn0ChwC3M9MALuWZZH2ZbHNeOhdNuHWTiIy/rUkoPOSPW6I6t2kNE uNQXDgRhTPtJGt4qSZtNky46R2olLTX+TIY+yaKod3dnrXPI71wf7jJSiRYKrdPypd2r Ltr2Ekr9VWYbzTeW9vS0vzrli9sdhCfKdfzOEP4ZWeh5FnlSTrQ0jw+ZvgCjErmLKYBb 0Xvsl4SAwix/UiLALT6nRUoqU4CyAZQ9Vt6I6m8IpFLle+Ij1TuIDyHeHPYiXWsC40T7 R31uAd0yv0aC5/Po5kUiCWcO2y/HW/2EHmFzh4CuL3wLf8N0DTFUcbh8Kk5Duz+jat32 j0vA== X-Gm-Message-State: ALyK8tKDcacVAYF0wf9CoMTz7sjIk987bRQMm5zAi+OWVHAkf4XESv+8oY1I6XmcwZLj3ZF0P0VxME2b2EqzPw== X-Received: by 10.107.137.102 with SMTP id l99mr4590866iod.177.1468349130041; Tue, 12 Jul 2016 11:45:30 -0700 (PDT) MIME-Version: 1.0 Sender: kob6558@gmail.com Received: by 10.79.78.213 with HTTP; Tue, 12 Jul 2016 11:45:29 -0700 (PDT) In-Reply-To: <1A47581A-2076-4989-BDC4-5C5E52BD28B2@digsys.bg> References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> <1A47581A-2076-4989-BDC4-5C5E52BD28B2@digsys.bg> From: Kevin Oberman Date: Tue, 12 Jul 2016 11:45:29 -0700 X-Google-Sender-Auth: lcXB_XmDOrd7BdiC5i1oxHy6tg0 Message-ID: Subject: Re: GOST in OPENSSL_BASE To: Daniel Kalchev Cc: Franco Fichtner , freebsd-current Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 18:45:31 -0000 On Tue, Jul 12, 2016 at 5:33 AM, Daniel Kalchev wrote: > > > On 12.07.2016 =D0=B3., at 13:26, Franco Fichtner > wrote: > > > > > >> On 12 Jul 2016, at 11:59 AM, Daniel Kalchev wrote: > >> > >> It is trivial to play MTIM with this protocol and in fact, there are > commercially available =E2=80=9Csolutions=E2=80=9D for =E2=80=9Csecuring = one=E2=80=99s corporate network=E2=80=9D > that doe exactly that. Some believe this is with the knowledge and approv= al > of the corporation, but who is to say what the black box actually does an= d > whose interests it serves? > > > > It's also trivial to ignore that pinning certificates and using client > > certificates can actually help a great deal to prevent all of what you > > just said. ;) > > I don=E2=80=99t know many users who even know that they can do this =E2= =80=94 much less > actually using it. Pinning the browser vendor=E2=80=99s certificates does= not > protect you from being spied while visiting someone else=E2=80=99s site. = This is > also non-trivial to support. > In the early days of DANE, Google even had a version of Chrome that > supported DANE, just to kill it a bit later: > https://www.ietf.org/mail-archive/web/dane/current/msg06980.html > > > > > The bottom line is not having GOST support readily available could > alienate > > a whole lot of businesses. Not wanting those downstream use cases will > make > > those shift elsewhere and the decision will be seen as an overly > political > > move that in no possible way reflects the motivation of community growt= h. > > > Exactly =E2=80=94 especially as long as there is no demonstrable proof th= at GOST > is actually broken. I may have been misunderstood, possibly because I was unclear. I do not object to GOST being readily available as it is legally required in some places. I do object on its being enabled by default and I do object to standards endorsing it use, though I do not object to standards for GOST, itself. Making the method for enabling GOST simple and clearly documented is a reasonable thing and, as long as its use is mandated it is really essential= . And, thinks, Andrey, for clarifying the Russian law. I don't know the language and have depended on others for the details. In areas of tine points of laws, this is often inadequate. (As it is when you read the language fluently. I read and speak American English quite well, but that does not mean that legalese is covered.) Reality is that the law is what those charges with formal interpretation of it say it is. In the US, that is the Supreme Court. Not sure who is in Russia, but it's not me!) -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683