On 12.07.2016 12:16, Andrey Chernov wrote: > On 12.07.2016 8:48, Kevin Oberman wrote: >> >> May be need file PR for dns/bind910? >> >> >> >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile >> >> .include <bsd.port.pre.mk <http://bsd.port.pre.mk>> >> >> >> >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && >> ${SSL_DEFAULT} == base >> >> BROKEN= OpenSSL from the base system does not support GOST, add \ >> >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and >> rebuild everything \ >> >> that needs SSL. >> >> .endif >> >> >> > >> > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC >> > don't use GOST, so I vote for removing GOST option from there. >> > >> >> I need to note that RFC exists, proposing GOST (old version) for DNSSEC: >> https://tools.ietf.org/html/rfc5933 >> but nobody really use it. >> >> In case people are not aware of it, Russian law now requires ALL >> encrypted traffic must either be accessible by the FSB or that the >> private keys must be available to the FSB. > > It is not quite so. All traffic must be available for 6 months and they > express intention to ask big companies for their private keys, but later > is not required by the law (not yet...) > >> I have always assumed that >> GOST has a hidden vulnerability/backdoor that the FSB is already using, > > I already answer this question elsewhere in this thread with the reference. > >> but this makes it mandatory. Putin gave the FSB 2 weeks to implement the >> law, which is clearly impossible, but I suspect that there will be a >> huge effort to pick all low-hanging fruit. As a result, I suspect no one >> outside of Russia will touch GOST. (Not that they do now, either.) I'd >> hate to see its support required for any protocol except in Russia as >> someone will be silly enough to use it. > > I already explain required GOST usage pattern in this thread. > Ah, I see, freebsd-current list was excluded by someone, so I repeat what I wrote: Official documents workflow here require using GOST signatures for authenticity and consistency verification, they are needed or, in some cases, required for both people and companies. Since it is official in any case, there is no harm to have FSB backdoor in the algo, unless some hacker will find it. Just don't use GOST for something else to stay on safe side. BTW, latest GOST based on elliptic curves, so from math point of view probability of having backdoor here is minimal. I don't examine its implementation. See https://ru.wikipedia.org/wiki/%D0%93%D0%9E%D0%A1%D0%A2_%D0%A0_34.10-2012 You can consider GOST goals are the same as FIPS ones with the reason to have things "domestically produced".Received on Tue Jul 12 2016 - 07:43:23 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:06 UTC