<div dir="ltr"><div dir="auto"><div dir="auto">Getting the key for any given communication from OpenSSL is definitely doable if you're not using an engine. If you are using an engine, it may or may not be even possible.<br><div dir="auto"><br></div><div dir="auto">In any case, maintaining that key once you have it is definitely out of scope of OpenSSL. As an app developer subject to that law, it is up to you to figure out a way to keep it available for compliance purposes.</div><div dir="auto"><br></div><div dir="auto">I'm not part of the OpenSSL team, so I have no capacity to make a policy statement on their behalf. However, I'm pretty sure that OpenSSL is not going to alter its API or its library design to make it easier for a bolt-on AusAssAccess module to be written that directly queries the state of the library or its structures.<br></div><div dir="auto"><br></div><div dir="auto">That said, in the past it's been bandied about that an originating software package subject to the law could encrypt the symmetric key not only to the intended recipient, but also to a hardcoded compliance key. A receiving software package subject to the law would have to modify its receipt process to store a copy of the symmetric key elsewhere when it first decrypted a message -- probably also encrypted to a hardcoded compliance key.</div><div dir="auto"><br></div><div>The downside is "what happens when that compliance key is compromised"? (or, for that matter, if the compliance key is lost.) And it will be compromised or lost, someday, some way. That's the reason so many people have been against backdoors like this -- the security of the system is good, but the security of human beings tasked with maintaining the security of the system is nowhere near as good.<br></div><div><br></div><div>-Kyle H<br></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Dec 14, 2018, 18:20 <a href="mailto:openssl@foocrypt.net" target="_blank">openssl@foocrypt.net</a> <<a href="mailto:openssl@foocrypt.net" target="_blank">openssl@foocrypt.net</a> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Rather than going down the political or policy line, perhaps it may be prudent to discuss the technical solutions to testing the engine, regardless of the OS it is running on.<br>
<br>
How does one validate and test the engines during / after compile to ensure their ‘trust’ ?<br>
<br>
<br>
<br>
> On 15 Dec 2018, at 10:42, Viktor Dukhovni <<a href="mailto:openssl-users@dukhovni.org" rel="noreferrer" target="_blank">openssl-users@dukhovni.org</a>> wrote:<br>
> <br>
>> On Dec 14, 2018, at 5:42 PM, <a href="mailto:bmeeker51@buckeye-express.com" rel="noreferrer" target="_blank">bmeeker51@buckeye-express.com</a> wrote:<br>
>> <br>
>> I simply wanted a clear statement so I can make an informed decision whether or not I should use OpenSSL in future projects. I now have my answer. Thank you.<br>
> <br>
> This is not the right forum for that question. The bill is too<br>
> new for a policy response to have been considered or agreed.<br>
> <br>
> OpenSSL has committers from many countries. OpenSSH also<br>
> has an Australian maintainer, have they published a policy?<br>
> <br>
> I am sure there are Australian contributors to Linux, NetBSD,<br>
> FreeBSD, OpenBSD, Android, ...<br>
> <br>
> Avoiding all taint from anything touched by Australia will not<br>
> be easy.<br>
> <br>
> -- <br>
> Viktor.<br>
> <br>
> -- <br>
> openssl-users mailing list<br>
> To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br>
-- <br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
</blockquote></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Dec 14, 2018, 18:20 <a href="mailto:openssl@foocrypt.net" target="_blank">openssl@foocrypt.net</a> <<a href="mailto:openssl@foocrypt.net" target="_blank">openssl@foocrypt.net</a> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Rather than going down the political or policy line, perhaps it may be prudent to discuss the technical solutions to testing the engine, regardless of the OS it is running on.<br>
<br>
How does one validate and test the engines during / after compile to ensure their ‘trust’ ?<br>
<br>
<br>
<br>
> On 15 Dec 2018, at 10:42, Viktor Dukhovni <<a href="mailto:openssl-users@dukhovni.org" rel="noreferrer" target="_blank">openssl-users@dukhovni.org</a>> wrote:<br>
> <br>
>> On Dec 14, 2018, at 5:42 PM, <a href="mailto:bmeeker51@buckeye-express.com" rel="noreferrer" target="_blank">bmeeker51@buckeye-express.com</a> wrote:<br>
>> <br>
>> I simply wanted a clear statement so I can make an informed decision whether or not I should use OpenSSL in future projects. I now have my answer. Thank you.<br>
> <br>
> This is not the right forum for that question. The bill is too<br>
> new for a policy response to have been considered or agreed.<br>
> <br>
> OpenSSL has committers from many countries. OpenSSH also<br>
> has an Australian maintainer, have they published a policy?<br>
> <br>
> I am sure there are Australian contributors to Linux, NetBSD,<br>
> FreeBSD, OpenBSD, Android, ...<br>
> <br>
> Avoiding all taint from anything touched by Australia will not<br>
> be easy.<br>
> <br>
> -- <br>
> Viktor.<br>
> <br>
> -- <br>
> openssl-users mailing list<br>
> To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br>
-- <br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
</blockquote></div>