On 12.07.2016 12:16, Andrey Chernov wrote:
> On 12.07.2016 8:48, Kevin Oberman wrote:
>>     >> May be need file PR for dns/bind910?
>>     >>
>>     >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
>>     >> .include <bsd.port.pre.mk <http://bsd.port.pre.mk>>
>>     >>
>>     >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) &&
>>     ${SSL_DEFAULT} == base
>>     >> BROKEN= OpenSSL from the base system does not support GOST, add \
>>     >>         DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and
>>     rebuild everything \
>>     >>         that needs SSL.
>>     >> .endif
>>     >>
>>     >
>>     > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
>>     > don't use GOST, so I vote for removing GOST option from there.
>>     >
>>     I need to note that RFC exists, proposing GOST (old version) for DNSSEC:
>>     https://tools.ietf.org/html/rfc5933
>>     but nobody really use it.
>> In case people are not aware of it, Russian law now requires ALL
>> encrypted traffic must either be accessible by the FSB or that the
>> private keys must be available to the FSB. 
> It is not quite so. All traffic must be available for 6 months and they
> express intention to ask big companies for their private keys, but later
> is not required by the law (not yet...)
>> I have always assumed that
>> GOST has a hidden vulnerability/backdoor that the FSB is already using,
> I already answer this question elsewhere in this thread with the reference.
>> but this makes it mandatory. Putin gave the FSB 2 weeks to implement the
>> law, which is clearly impossible, but I suspect that there will be a
>> huge effort to pick all low-hanging fruit. As a result, I suspect no one
>> outside of Russia will touch GOST. (Not that they do now, either.) I'd
>> hate to see its support required for any protocol except in Russia as
>> someone will be silly enough to use it.
> I already explain required GOST usage pattern in this thread.

Ah, I see, freebsd-current list was excluded by someone, so I repeat
what I wrote:

Official documents workflow here require using GOST signatures for
authenticity and consistency verification, they are needed or, in some
cases, required for both people and companies. Since it is official in
any case, there is no harm to have FSB backdoor in the algo, unless some
hacker will find it. Just don't use GOST for something else to stay on
safe side.

BTW, latest GOST based on elliptic curves, so from math point of view
probability of having backdoor here is minimal. I don't examine its
You can consider GOST goals are the same as FIPS ones with the reason to
have things "domestically produced".

freebsd-current@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Reply via email to