[openssl-users] AssAccess was passed with no amendments

Kyle Hamilton aerowolf at gmail.com
Mon Dec 17 06:32:30 UTC 2018 

Getting the key for any given communication from OpenSSL is definitely
doable if you're not using an engine.  If you are using an engine, it may
or may not be even possible.

In any case, maintaining that key once you have it is definitely out of
scope of OpenSSL. As an app developer subject to that law, it is up to you
to figure out a way to keep it available for compliance purposes.

I'm not part of the OpenSSL team, so I have no capacity to make a policy
statement on their behalf.  However, I'm pretty sure that OpenSSL is not
going to alter its API or its library design to make it easier for a
bolt-on AusAssAccess module to be written that directly queries the state
of the library or its structures.

That said, in the past it's been bandied about that an originating software
package subject to the law could encrypt the symmetric key not only to the
intended recipient, but also to a hardcoded compliance key.  A receiving
software package subject to the law would have to modify its receipt
process to store a copy of the symmetric key elsewhere when it first
decrypted a message -- probably also encrypted to a hardcoded compliance
key.

The downside is "what happens when that compliance key is compromised"?
(or, for that matter, if the compliance key is lost.)  And it will be
compromised or lost, someday, some way.  That's the reason so many people
have been against backdoors like this -- the security of the system is
good, but the security of human beings tasked with maintaining the security
of the system is nowhere near as good.

-Kyle H

On Fri, Dec 14, 2018, 18:20 openssl at foocrypt.net <openssl at foocrypt.net
wrote:

> Rather than going down the political or policy line, perhaps it may be
> prudent to discuss the technical solutions to testing the engine,
> regardless of the OS it is running on.
>
> How does one validate and test the engines during / after compile to
> ensure their ‘trust’ ?
>
>
>
> > On 15 Dec 2018, at 10:42, Viktor Dukhovni <openssl-users at dukhovni.org>
> wrote:
> >
> >> On Dec 14, 2018, at 5:42 PM, bmeeker51 at buckeye-express.com wrote:
> >>
> >> I simply wanted a clear statement so I can make an informed decision
> whether or not I should use OpenSSL in future projects.  I now have my
> answer.  Thank you.
> >
> > This is not the right forum for that question.  The bill is too
> > new for a policy response to have been considered or agreed.
> >
> > OpenSSL has committers from many countries.  OpenSSH also
> > has an Australian maintainer, have they published a policy?
> >
> > I am sure there are Australian contributors to Linux, NetBSD,
> > FreeBSD, OpenBSD, Android, ...
> >
> > Avoiding all taint from anything touched by Australia will not
> > be easy.
> >
> > --
> >       Viktor.
> >
> > --
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>

On Fri, Dec 14, 2018, 18:20 openssl at foocrypt.net <openssl at foocrypt.net
wrote:

> Rather than going down the political or policy line, perhaps it may be
> prudent to discuss the technical solutions to testing the engine,
> regardless of the OS it is running on.
>
> How does one validate and test the engines during / after compile to
> ensure their ‘trust’ ?
>
>
>
> > On 15 Dec 2018, at 10:42, Viktor Dukhovni <openssl-users at dukhovni.org>
> wrote:
> >
> >> On Dec 14, 2018, at 5:42 PM, bmeeker51 at buckeye-express.com wrote:
> >>
> >> I simply wanted a clear statement so I can make an informed decision
> whether or not I should use OpenSSL in future projects.  I now have my
> answer.  Thank you.
> >
> > This is not the right forum for that question.  The bill is too
> > new for a policy response to have been considered or agreed.
> >
> > OpenSSL has committers from many countries.  OpenSSH also
> > has an Australian maintainer, have they published a policy?
> >
> > I am sure there are Australian contributors to Linux, NetBSD,
> > FreeBSD, OpenBSD, Android, ...
> >
> > Avoiding all taint from anything touched by Australia will not
> > be easy.
> >
> > --
> >       Viktor.
> >
> > --
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181217/9699945b/attachment.html>

More information about the openssl-users mailing list