<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Kyle<div class=""><br class=""></div><div class="">Anyone in their rights minds understands the dangers with government key escrow systems and governments requesting back doors or delaying the remediation of existing zero days, local and remote exploits so that they can utilise them for their own intelligence or law enforcement purposes.</div><div class=""><br class=""></div><div class="">From FooCrypt’s perspective, FooCrypt utilises OpenSSL as an engine calling the binary via an exec rather than calling a purposely built library from the OpenSSL source code. This has added security as it enables the end user to select an appropriate version of the engine that they have access to as per their own countries legal requirements around encryption software. FooCrypt is distributed on macOS platforms as a read only disk image, on linux and windows systems as a Debian package, and as a customised SOE in a read only bootable Live ISO file which can be burnt to an old fashioned DVD, and booted via a VM or on cut down hardware with no physical disk / network / bluetooth etc. The encrypted data objects can be sent via any messaging service / email / snail mail postage / fax / protocol / etc. Technically, if an end user, utilised the Live ISO on a blackbox system, with a deadman switch on the power, there is no way to ‘escrow’ they keys for anyone.</div><div class=""><br class=""></div><div class="">Not only is AssAccess an affront to the sanity of those who are left in Australia still managing to work in the encryption space since they criminalised encryption under the Defence Trade Acts additions of encryption into the Defence Strategic Goods Listing, it has been politicised by our degenerate LNP government with make believe claims that have no founding and belittles those with any technical understanding of the issues.</div><div class=""><br class=""></div><div class="">From a users perspective, end users should be able to ‘trust’ the encryption software they use and not have to deal with the perception of ‘back doors’ requested by Governments, which can’t be reported by those who are crunchy the code, as the Government is threatening them with a 5 year jail term and massive fines for disclosing the Governments attempts to circumvent security.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""><div class=""><div><blockquote type="cite" class=""><div class="">On 17 Dec 2018, at 17:32, Kyle Hamilton <<a href="mailto:aerowolf@gmail.com" class="">aerowolf@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div dir="auto" class=""><div dir="auto" class="">Getting the key for any given communication from OpenSSL is definitely doable if you're not using an engine. If you are using an engine, it may or may not be even possible.<br class=""><div dir="auto" class=""><br class=""></div><div dir="auto" class="">In any case, maintaining that key once you have it is definitely out of scope of OpenSSL. As an app developer subject to that law, it is up to you to figure out a way to keep it available for compliance purposes.</div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">I'm not part of the OpenSSL team, so I have no capacity to make a policy statement on their behalf. However, I'm pretty sure that OpenSSL is not going to alter its API or its library design to make it easier for a bolt-on AusAssAccess module to be written that directly queries the state of the library or its structures.<br class=""></div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">That said, in the past it's been bandied about that an originating software package subject to the law could encrypt the symmetric key not only to the intended recipient, but also to a hardcoded compliance key. A receiving software package subject to the law would have to modify its receipt process to store a copy of the symmetric key elsewhere when it first decrypted a message -- probably also encrypted to a hardcoded compliance key.</div><div dir="auto" class=""><br class=""></div><div class="">The downside is "what happens when that compliance key is compromised"? (or, for that matter, if the compliance key is lost.) And it will be compromised or lost, someday, some way. That's the reason so many people have been against backdoors like this -- the security of the system is good, but the security of human beings tasked with maintaining the security of the system is nowhere near as good.<br class=""></div><div class=""><br class=""></div><div class="">-Kyle H<br class=""></div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="">On Fri, Dec 14, 2018, 18:20 <a href="mailto:openssl@foocrypt.net" target="_blank" class="">openssl@foocrypt.net</a> <<a href="mailto:openssl@foocrypt.net" target="_blank" class="">openssl@foocrypt.net</a> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Rather than going down the political or policy line, perhaps it may be prudent to discuss the technical solutions to testing the engine, regardless of the OS it is running on.<br class="">
<br class="">
How does one validate and test the engines during / after compile to ensure their ‘trust’ ?<br class="">
<br class="">
<br class="">
<br class="">
> On 15 Dec 2018, at 10:42, Viktor Dukhovni <<a href="mailto:openssl-users@dukhovni.org" rel="noreferrer" target="_blank" class="">openssl-users@dukhovni.org</a>> wrote:<br class="">
> <br class="">
>> On Dec 14, 2018, at 5:42 PM, <a href="mailto:bmeeker51@buckeye-express.com" rel="noreferrer" target="_blank" class="">bmeeker51@buckeye-express.com</a> wrote:<br class="">
>> <br class="">
>> I simply wanted a clear statement so I can make an informed decision whether or not I should use OpenSSL in future projects. I now have my answer. Thank you.<br class="">
> <br class="">
> This is not the right forum for that question. The bill is too<br class="">
> new for a policy response to have been considered or agreed.<br class="">
> <br class="">
> OpenSSL has committers from many countries. OpenSSH also<br class="">
> has an Australian maintainer, have they published a policy?<br class="">
> <br class="">
> I am sure there are Australian contributors to Linux, NetBSD,<br class="">
> FreeBSD, OpenBSD, Android, ...<br class="">
> <br class="">
> Avoiding all taint from anything touched by Australia will not<br class="">
> be easy.<br class="">
> <br class="">
> -- <br class="">
> Viktor.<br class="">
> <br class="">
> -- <br class="">
> openssl-users mailing list<br class="">
> To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer noreferrer" target="_blank" class="">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br class="">
<br class="">
-- <br class="">
openssl-users mailing list<br class="">
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer noreferrer" target="_blank" class="">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br class="">
</blockquote></div></div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="">On Fri, Dec 14, 2018, 18:20 <a href="mailto:openssl@foocrypt.net" target="_blank" class="">openssl@foocrypt.net</a> <<a href="mailto:openssl@foocrypt.net" target="_blank" class="">openssl@foocrypt.net</a> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Rather than going down the political or policy line, perhaps it may be prudent to discuss the technical solutions to testing the engine, regardless of the OS it is running on.<br class="">
<br class="">
How does one validate and test the engines during / after compile to ensure their ‘trust’ ?<br class="">
<br class="">
<br class="">
<br class="">
> On 15 Dec 2018, at 10:42, Viktor Dukhovni <<a href="mailto:openssl-users@dukhovni.org" rel="noreferrer" target="_blank" class="">openssl-users@dukhovni.org</a>> wrote:<br class="">
> <br class="">
>> On Dec 14, 2018, at 5:42 PM, <a href="mailto:bmeeker51@buckeye-express.com" rel="noreferrer" target="_blank" class="">bmeeker51@buckeye-express.com</a> wrote:<br class="">
>> <br class="">
>> I simply wanted a clear statement so I can make an informed decision whether or not I should use OpenSSL in future projects. I now have my answer. Thank you.<br class="">
> <br class="">
> This is not the right forum for that question. The bill is too<br class="">
> new for a policy response to have been considered or agreed.<br class="">
> <br class="">
> OpenSSL has committers from many countries. OpenSSH also<br class="">
> has an Australian maintainer, have they published a policy?<br class="">
> <br class="">
> I am sure there are Australian contributors to Linux, NetBSD,<br class="">
> FreeBSD, OpenBSD, Android, ...<br class="">
> <br class="">
> Avoiding all taint from anything touched by Australia will not<br class="">
> be easy.<br class="">
> <br class="">
> -- <br class="">
> Viktor.<br class="">
> <br class="">
> -- <br class="">
> openssl-users mailing list<br class="">
> To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer noreferrer" target="_blank" class="">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br class="">
<br class="">
-- <br class="">
openssl-users mailing list<br class="">
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer noreferrer" target="_blank" class="">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br class="">
</blockquote></div>
-- <br class="">openssl-users mailing list<br class="">To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" class="">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br class=""></div></blockquote></div><br class=""></div></div></body></html>