On 31.03.2010 14:28, Martin Bartosch wrote: > Detail question: Is western cryptography banned completely for products that > are used in your country? > Or is it possible to continue using e. g. AES to encrypt data *internally*? I > ask this because > I bypassed the crypto abstraction myself and deliberately (via Crypt::CBC, > which really has > massive performance benefits compared to our own crypto abstraction for > symmetric encryption) for > the VolatileVault feature. This feature is used only internally by OpenXPKI > to protect sensitive > data internally, it is also becoming more important for us, because I have > extended the mechanism > to provide a globally available data pool for storing protected information. > From a security point of > view I believe that even in countries where western cryptography shall not be > used it might be > acceptable to protect this internal state information with AES. I'd > understand your reasoning if you > told me that this is not desired in Russia, though, and I could change the > code to make > it compliant quite easily.
Hi Matrin, Short answer is that you need not change the code for "internal" use of encryption in oxi. If we talk about PKI use for common civil applications, its legal status in Russia is controlled by a number of federal laws and subordinate legal acts. Also at the moment a new version of federal law about digital electronic signature is under way through the federal parliament. Below let me consider "an intersection" of existing and planned legal acts, and call this intersection just "law" for short. The general idea is simple: all information systems that use PKI fall into several categories depending on quality and quantity of serviced data. With easy category you do whatever you want. With hard category you obey strict rules which say how you develop, register (with a dedicated state organ) and operate soft-and-hard ware related to PKI. Let me give some examples. - PKI system for internal use in a university of in a private business can use western or GOST cryptography: whichever choosen by director. Usually PKI here need no registration with state organ. - Bank - client systems usually use western cryptography and usually need to registration with state organ. - Bank to bank systems usually use GOST cryptography - Info system of local and federal government bodies has to use GOST cryptography and undergo registration with state organ. - Info system that involve communication with local and federal government bodies has to use GOST cryptography and undergo registration with state organ. - And once during development and testing stage of a big info system meant for the government use, a testing PKI based on oxi has been heavily used ;) . Registration of PKI tools with a state organ (when applicable) is very different for different categories of info systems. Registration can be as easy as a condition to use already registered GOST-enabled library or smart card available on the market. Registration can be very hard and include total check (of both PKI and info system itself) for correct use of GOST cryptography with subsequent calculating of checksums for all executable software modules. In the latter case software solutions based on interpreter languages like perl have little chance to pass through. So you can see a vast niche for oxi in Russia. In some cases it has no chance to be used in a "registered" PKI. But registration like this is not needed at all in quite a number of cases. Sometime oxi can be used with western cryptography. Sometime oxi can be used with already registered GOST-enabled soft libraries of hardware. All the best, Sergei ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ OpenXPKI-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-devel
