[openssl-project] As per vote, the project list is created
Salz, Rich
rsalz at akamai.com
Wed Jan 3 13:25:41 UTC 2018
Posting it under the OMC byline is a good idea. Voting is therefore necessary, albeit slows the process.
I posted it to the same forum we posted the f2f minutes.
From: Tim Hudson <tjh at cryptsoft.com>
Reply-To: "openssl-project at openssl.org" <openssl-project at openssl.org>
Date: Tuesday, January 2, 2018 at 4:20 PM
To: "openssl-project at openssl.org" <openssl-project at openssl.org>
Subject: Re: [openssl-project] As per vote, the project list is created
I've added some edits to make it align more closely with the discussion and correct a couple of items.
I think it should go out from the OMC as a whole - which does mean that everyone should view it - and if we are sending as OMC then it should be on the basis of a vote (so we are not placing words in the mouths of people who haven't read and approved the wording).
I also wouldn't have sent the draft blog post to the public as yet ...
Tim.
On Wed, Jan 3, 2018 at 6:42 AM, Salz, Rich <rsalz at akamai.com<mailto:rsalz at akamai.com>> wrote:
I wrote a draft blog post. If anyone on the OMC wants to edit and put their name on it, or suggest edits and I post it, that’s fine with me.
On 1/1/18, 7:30 PM, "Paul Dale" <paul.dale at oracle.com<mailto:paul.dale at oracle.com>> wrote:
A concurrent update for the mailing list page: https://www.openssl.org/community/mailinglists.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_community_mailinglists.html&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=bCenl7PqC9RkkY0AbjQTONSxCY4ZVpQGhvfnOC1PuV8&s=-6BXUnzIYRXox9CT_3Xe9SacmTI0-3rKdyRQgbsZYRY&e=> too?
Pauli
--
Oracle
Dr Paul Dale | Cryptographer | Network Security & Encryption
Phone +61 7 3031 7217<tel:%2B61%207%203031%207217>
Oracle Australia
-----Original Message-----
From: Richard Levitte [mailto:levitte at openssl.org<mailto:levitte at openssl.org>]
Sent: Saturday, 23 December 2017 12:48 AM
To: openssl-project at openssl.org<mailto:openssl-project at openssl.org>
Subject: Re: [openssl-project] As per vote, the project list is created
In message <20171222105738.GA17869 at roeckx.be<mailto:20171222105738.GA17869 at roeckx.be>> on Fri, 22 Dec 2017 11:57:38 +0100, Kurt Roeckx <kurt at roeckx.be<mailto:kurt at roeckx.be>> said:
kurt> You should probably announce this new list more widely
Agreed. Wasn't someone going to make a blog post about it? Or was that just a general "we should" where noone actually said "I will"?
For if no one feels they've taken that on, I will ;-)
--
Richard Levitte levitte at openssl.org<mailto:levitte at openssl.org>
OpenSSL Project http://www.openssl.org/~levitte/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.openssl.org_-7Elevitte_&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=bCenl7PqC9RkkY0AbjQTONSxCY4ZVpQGhvfnOC1PuV8&s=GTur4qcW33Vlkb3WZa6TYRZwxeCybTFRjlBkrafUH3E&e=>
_______________________________________________
openssl-project mailing list
openssl-project at openssl.org<mailto:openssl-project at openssl.org>
https://mta.openssl.org/mailman/listinfo/openssl-project<https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Dproject&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=bCenl7PqC9RkkY0AbjQTONSxCY4ZVpQGhvfnOC1PuV8&s=s57Iml_loafNnRSg8V0mTuJ9D03oyUKGmV4gveWO_10&e=>
_______________________________________________
openssl-project mailing list
openssl-project at openssl.org<mailto:openssl-project at openssl.org>
https://mta.openssl.org/mailman/listinfo/openssl-project<https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Dproject&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=bCenl7PqC9RkkY0AbjQTONSxCY4ZVpQGhvfnOC1PuV8&s=s57Iml_loafNnRSg8V0mTuJ9D03oyUKGmV4gveWO_10&e=>
---------- Forwarded message ----------
From: Rich Salz <rsalz at openssl.org<mailto:rsalz at openssl.org>>
To: <openssl-omc at openssl.org<mailto:openssl-omc at openssl.org>>
Cc:
Bcc:
Date: Tue, 2 Jan 2018 20:41:12 +0000
Subject: [openssl-omc] [blog] master update
The branch master has been updated
via 90a4eb9e289be237bc80dc5393d32e79b2d7b001 (commit)
from 0c536ced1e9bb1684ddf60af42e236dd69d3dd52 (commit)
- Log -----------------------------------------------------------------
commit 90a4eb9e289be237bc80dc5393d32e79b2d7b001
Author: Rich Salz <rsalz at akamai.com<mailto:rsalz at akamai.com>>
Date: Tue Jan 2 15:39:37 2018 -0500
Draft of F2F blog post
-----------------------------------------------------------------------
Summary of changes:
source/_posts/2018-01-04-f2f-email-etc.markdown | 130 ++++++++++++++++++++++++
1 file changed, 130 insertions(+)
create mode 100644 source/_posts/2018-01-04-f2f-email-etc.markdown
diff --git a/source/_posts/2018-01-04-f2f-email-etc.markdown b/source/_posts/2018-01-04-f2f-email-etc.markdown
new file mode 100644
index 0000000..c62a133
--- /dev/null
+++ b/source/_posts/2018-01-04-f2f-email-etc.markdown
@@ -0,0 +1,130 @@
+---
+layout: post
+title: "Another Face to Face: Email changes and crypto policy"
+date: 2018-01-04 1:00
+comments: true
+author: "???"
+published: false
+---
+
+The OpenSSL OMC met last month for a two-day face-to-face meeting, and
+like previous F2F meetings, most of the team was present and we got a
+great deal of issues addressed. This blog posts talks about some of them,
+and most of the others will get their own blog posts, or notices, later.
+
+One of the overall threads of the meeting was about increasing the
+transparency of the project. By default, everything should be done in
+public. We decided to try some major changes to email and such.
+
+<!-- more -->
+
+## Security Releases
+
+First, a short item. We are changing our release schedule so that unless
+there are extenuating circumstances, security releases will go out on
+Tuesday, with the pre-notification being the previous Tuesday. We don't see
+a need to have people ready to sacrifice their weekend every time a new CVE
+comes out (see our
+<a href="https://www.openssl.org/policies/secpolicy.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_policies_secpolicy.html&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=bCenl7PqC9RkkY0AbjQTONSxCY4ZVpQGhvfnOC1PuV8&s=Rs8DaMxNIa7kUegk74aQxatTQE08R7LqNIs8tInPChg&e=>">security policy</a>
+for details).
+
+On the other hand, a Heartbleed-style vulnerability that has known exploits
+would a good example of an extenuating circumstance.
+
+## Online communication
+
+We created a new mailing list,
+<a href="https://mta.openssl.org/mailman/listinfo/openssl-project<https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Dproject&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=bCenl7PqC9RkkY0AbjQTONSxCY4ZVpQGhvfnOC1PuV8&s=s57Iml_loafNnRSg8V0mTuJ9D03oyUKGmV4gveWO_10&e=>">openssl-project</a>,
+that is for discussions about the governance and policies of OpenSSL.
+Anyone can join this list. Initially, only members of the OMC and committers
+will be able to post; everyone else will be moderated.
+At first glance, this seems to go against our goal of more transparency.
+We want this to be a useful list for the project members to communicate in
+public -- like many Parliaments, for example, where debate is public but the
+public doesn't speak.
+
+Still, not everyone is completely comfortable with this, and some have said
+that they will basically approve any posting held for moderation.
+It's an experiment, and if we can open the list for public posting, without
+getting drowned out, we'll do so. Note that all OMC vote results will be
+posted here, as will initial discussions about vote topics. One important item
+that will be discussed on this list is planning for upcoming releases.
+Also, our paid fellows will be posting monthly status reports there.
+
+We decided to increase our use of GitHub. In addition to asking that all
+bug reports and enhancement requests be reported as issues, we now want all
+major code proposals to be discussed as issues before a large pull request
+shows up. This will let the community discuss the feature, offer input on
+design and such, before having code to look at. We hope this will let us
+all first look at the bigger picture, before getting bogged down in the
+weeds of line-by-line code reviews.
+
+We are going to close the openssl-dev mailing list. The distinction between
+openssl-dev and openssl-users was often unclear, and the changes described
+above will make that situation worse. GitHub issues are the way
+most projects work these days, and with the creation of openssl-project it
+should be much more clear how and when to use the openssl-users mailing
+list.
+
+If our expectations are wrong, of course, we'll fix or revert these
+changes.
+
+## Cryptography Policies
+
+Part of our discussions were about our mission.
+
+- What security properties are we trying to provide our users?
+- Do we see ourselves as responsbile for keeping the ecosystem secure?
+- Are we a TLS toolkit or a "it's all there" crypto toolkit?
+- And so on...
+
+While discussing these questions, we came up with a few policy decisions.
+These apply to all new cryptography, and in a future release we will address
+the existing source.
+
+- Insecure configuration options will not be enabled by default but must
+be enabled by a compile-time switch. We had already started to do this by
+disabling SSLv2 and small keys. A recent change is that "multi-prime RSA"
+will enforce a maximum number of prime factors by default. In the future,
+it's possible we'll increase the minimum key sizes for a variety of algorithms.
+
+- It must be possible to disable all new algorithms at compile-time.
+When we extend that existing code, we'll probably skip cases that are known
+to not work. Building OpenSSL without SHA will break libssl, so it's not worth
+spending time on that.
+
+- The EVP interface is the primary interface for calling crypto operations.
+All new algorithms should only provide this API.
+In a future release, existing API's like ``AES_encrypt`` will be provided
+with a compatibility layer, perhaps separately, that wraps the EVP API.
+
+- All algorithms and protocols should be recognized by a national or
+international standards body. That is somewhat vague, but the important
+point is that we are implementors, not cryptographers, and will defer
+judgement to experts.
+
+- The DEFAULT value for the cipher string is not the same as ALL.
+That is, while many ciphers will be available to the libraries, they will
+not be enabled at the TLS layer unless specified at run-time.
+This brought up the point that the syntax of the cipher string cannot
+support the things people need it to do, including "cipher classes,"
+custom keywords, and site-wide configurations.
+
+## Roadmap
+
+We remain committed to having TLS 1.3 be the main feature for our next
+release. Of course we must wait for the IETF to finish it. We'll again
+point out that this is version 1.1.1, and you should get your applications
+ready by porting to 1.1.0 now.
+
+We reviewed the status of our license-change work. We'll post an update in
+a couple of weeks, but our goal is to change the license with this next
+release.
+
+We also decided that the primary focus of the next feature release will be
+FIPS. We know that FIPS is very important to some, not all, members of our
+community and we are committed to addressing this. We don't have much more
+information to share, and we know there has been some confusion and
+misleading communication out there. But we do want to make this strong,
+definitive statement: OpenSSL will implement a FIPS solution, and we expect
+it will be much faster than previous timetables.
_______________________________________________
openssl-project mailing list
openssl-project at openssl.org<mailto:openssl-project at openssl.org>
https://mta.openssl.org/mailman/listinfo/openssl-project<https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Dproject&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=bCenl7PqC9RkkY0AbjQTONSxCY4ZVpQGhvfnOC1PuV8&s=s57Iml_loafNnRSg8V0mTuJ9D03oyUKGmV4gveWO_10&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-project/attachments/20180103/741c002c/attachment-0001.html>
More information about the openssl-project
mailing list