[openssl-users] OpenSSL version 1.1.1 pre release 9 published

Robert Moskowitz rgm at htt-consult.com
Mon Aug 27 18:57:53 UTC 2018



On 08/27/2018 02:33 PM, Hubert Kario wrote:
> On Thursday, 23 August 2018 16:35:01 CEST Robert Moskowitz wrote:
>> On 08/23/2018 09:00 AM, Tomas Mraz wrote:
>>> On Wed, 2018-08-22 at 20:08 -0400, Robert Moskowitz wrote:
>>>> On 08/22/2018 11:48 AM, Matt Caswell wrote:
>>>>> On 22/08/18 00:53, Robert Moskowitz wrote:
>>>>>> On 08/21/2018 06:31 PM, Matt Caswell wrote:
>>>>>>> On 21/08/18 16:24, Robert Moskowitz wrote:
>>>>>>>> Thanks!
>>>>>>>>
>>>>>>>> Once Fedora beta picks this up, I will run my scripts against
>>>>>>>> it and see
>>>>>>>> if all cases of hash with ED25519 are fixed.
>>>>>>> Unfortunately the command line usability changes for this
>>>>>>> didn't make it
>>>>>>> into the beta. They should still be in the final release.
>>>>>> Sigh.  That means you will get it right.  Right?  :)
>>>>>>
>>>>>> Change seems simple enough.
>>>>> The relevant change has now been merged to master.
>>>> Fedora had already built pre9.1.  But on the off chance, I will look
>>>> at
>>>> it with tomorrow's build.
>>> I'm sorry but no, I am not updating Fedora with current git tree
>>> checkout. You'll have to wait for the next prerelease or the final
>>> version if there are no further prereleases.
>> Tomas,
>>
>> Thanks for responding here.
>>
>> I have been preparing an Internet Draft on how to build an ED25519 pki.
>> I know have the choice of:
>>
>> building my own 1.1.1 pre9 for testing.
>> Wait to push the draft out until 1.1.1 is fully released.
>> Fudge the draft by adding yet another caveat (yes there is a caveat
>> section that I developed in creating the ECDSA pki draft) that the
>> commands are for how it is suppose to work in production 1.1.1, not what
>> I had to do in the prerelease.
>>
>> Decisions decisions.  Thing is I want the draft out so I can push for
>> EDDSA support in IEEE 802.1AR with the next meeting early Sept.
> I'm not sure if providing command line examples for one particular tool are a
> good idea...
>
> Example certificates, sure, but not commands to generate them...
>
"We can't test out the security part of the protocol because we cannot 
get certificates"
"We ran our tests with security disable because we could not afford the 
cost and time for a test pki."
"We did test with RSA certificates from vendor A." (and they were using 
old libs that would not support ecdsa, but marketed it as such.)"

Over the years and in protocol design development, I have heard too many 
we can't.  So I set about with, "here is one way."  Since then I have 
had a few people actually thank me for making it possible for them to 
build an ecdsa pki for their product testing needs.  Just one justifies 
my effort.

If my making EDDSA certs easy for testing and I get one IoT product 
using certs that would otherwise claim that their product could not 
support the overhead of certs, it has been worth it.

I don't expect RFCs  from these draft.  Now Internet Drafts live forever 
(the drafts Yakov and I did for RFC 1597 are gone).  So my work will be 
around for others to use without a lot of pecking at google and this 
list to get it working.

And with eddsa, I did find one issue.  I was on the front side of things 
for a change.




More information about the openssl-users mailing list