Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
> There were two requests: the bylaws and whether modified grant would be > acceptable. If, instead of an unrestricted grant in the CLA it were > restricted > to relicensing to an OSI approved licence, the need to do due diligence on > the foundation goes away. We're not interested in changing the CLA at this time. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
In message <1483487075.2464.59.ca...@hansenpartnership.com> on Tue, 03 Jan 2017 15:44:35 -0800, James Bottomley said: James.Bottomley> On Tue, 2017-01-03 at 12:19 +0100, Richard Levitte wrote: James.Bottomley> > There seems to be some confusion here. James.Bottomley> > James.Bottomley> > James, I understand the tpm engine as an external project, not part James.Bottomley> > of the OpenSSL source proper and not intended to be. James.Bottomley> > James.Bottomley> > However, openssl-dev@openssl.org is a list focused on the development James.Bottomley> > of OpenSSL proper. That makes it a bit odd to discuss the tpm engine James.Bottomley> > here. Largely off topic. James.Bottomley> James.Bottomley> Fair enough. You were cc'd since it's a modification of code used by James.Bottomley> openSSL, in case there was interest. Strictly speaking, that belongs in openssl-us...@openssl.org. The reason I point this out is that for code that isn't meant to be part of OpenSSL proper, the whole discussion about CLAs, licenses and whatnot is a red herring that belongs neither here not there. As long as you do stuff as a separate project, YOU (collective you) decide what license to use, let alone your contribution policy. Of course, I do recall that there was an attempt of patches to be applied to OpenSSL proper. That alone is subject to our license and our policies, if that's still interesting (I don't know if it is). If it is, that should be contributed as a separate patch, preferably as a github PR (sourceforge is entirely uninteresting to us). Me, I haven't really minded the discussion here, as long as it didn't become confusing. After all, it did spark some discussion around my STORE project ;-) Did I leave something out or is the situation clear? Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
On Wed, 2017-01-04 at 00:04 +, Matt Caswell wrote: > > On 03/01/17 12:44, Salz, Rich wrote: > > > > I'm still waiting on a reply ... I assume holidays are > > > > contributing to the delay. > > > > However, openssl_tpm_engine is a DCO project, so that concern > > > > is > > > > irrelevant here. > > > > > > Sorry, I'll push to get the bylaws made public, is that what you > > > need? > > > > The OSF bylaws are now linked to from > > https://www.openssl.org/policies/ > > I can't actually see this link...am I just missing it, or did you not > push? https://www.openssl.org/policies/osf-bylaws.pdf Thanks for doing this! James -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
On 03/01/17 12:44, Salz, Rich wrote: >>> I'm still waiting on a reply ... I assume holidays are contributing to the >>> delay. >>> However, openssl_tpm_engine is a DCO project, so that concern is >>> irrelevant here. >> >> Sorry, I'll push to get the bylaws made public, is that what you need? > > The OSF bylaws are now linked to from https://www.openssl.org/policies/ I can't actually see this link...am I just missing it, or did you not push? Matt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
On Tue, 2017-01-03 at 12:19 +0100, Richard Levitte wrote: > There seems to be some confusion here. > > James, I understand the tpm engine as an external project, not part > of the OpenSSL source proper and not intended to be. > > However, openssl-dev@openssl.org is a list focused on the development > of OpenSSL proper. That makes it a bit odd to discuss the tpm engine > here. Largely off topic. Fair enough. You were cc'd since it's a modification of code used by openSSL, in case there was interest. James > Cheers > Richard > > Skickat från BlueMail > > Den 2 jan. 2017 19:22, kI 19:22, "Salz, Rich" > skrev: > > > Really, how? By pull request, you mean one against the openssl > > github > > > account so people subscribing to that account see it, I presume? > > > For > > that to > > > happen, the tree the patch is against must actually exist within > > > the > > account, > > > which this one doesn't. > > > > You clone the openssl git repo, create your own branch off master, > > apply the diffs you are mailing to the list, and commit/push and > > then > > make a PR. Yes it's a bit of work for you. But it then becomes > > near-zero work for anyone on openssl to look at it. > > > > > This patch is mostly FYI, so yes, I do given that multiple > > > mailing > > lists have > > > some interest. > > > > It's all about trade-offs. Multiple people have said multiple > > times > > that PR's are the best way to work with OpenSSL. If those other > > groups, individually or collectively, are higher on your priority > > list, > > that's fine. But do understand what's going on. > > > > > I'm still waiting on a reply ... I assume holidays are > > > contributing > > to the delay. > > > However, openssl_tpm_engine is a DCO project, so that concern is > > irrelevant > > > here. > > > > Sorry, I'll push to get the bylaws made public, is that what you > > need? > > > > And no, it's not irrelevant. If this is ever going to appear in > > OpenSSL, a CLA must be signed. > > > > -- > > openssl-dev mailing list > > To unsubscribe: > > https://mta.openssl.org/mailman/listinfo/openssl-dev -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
On Mon, 2017-01-02 at 18:22 +, Salz, Rich wrote: > > I'm still waiting on a reply ... I assume holidays are contributing > > to the delay. However, openssl_tpm_engine is a DCO project, so that > > concern is irrelevant here. > > Sorry, I'll push to get the bylaws made public, is that what you > need? There were two requests: the bylaws and whether modified grant would be acceptable. If, instead of an unrestricted grant in the CLA it were restricted to relicensing to an OSI approved licence, the need to do due diligence on the foundation goes away. > And no, it's not irrelevant. If this is ever going to appear in > OpenSSL, a CLA must be signed. It's not actually my code: I'm just updating it, so I'm unable to say what the long term plan actually is. I would think, though, that hardware engines, since they're highly OS support dependent, would be difficult to keep within openssl itself given that you want to compile on multiple platforms. James -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
> > I'm still waiting on a reply ... I assume holidays are contributing to the > > delay. > > However, openssl_tpm_engine is a DCO project, so that concern is > > irrelevant here. > > Sorry, I'll push to get the bylaws made public, is that what you need? The OSF bylaws are now linked to from https://www.openssl.org/policies/ or available directly at https://www.openssl.org/policies/osf-bylaws.pdf -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
There seems to be some confusion here. James, I understand the tpm engine as an external project, not part of the OpenSSL source proper and not intended to be. However, openssl-dev@openssl.org is a list focused on the development of OpenSSL proper. That makes it a bit odd to discuss the tpm engine here. Largely off topic. Cheers Richard Skickat från BlueMail Den 2 jan. 2017 19:22, kI 19:22, "Salz, Rich" skrev: >> Really, how? By pull request, you mean one against the openssl >github >> account so people subscribing to that account see it, I presume? For >that to >> happen, the tree the patch is against must actually exist within the >account, >> which this one doesn't. > >You clone the openssl git repo, create your own branch off master, >apply the diffs you are mailing to the list, and commit/push and then >make a PR. Yes it's a bit of work for you. But it then becomes >near-zero work for anyone on openssl to look at it. > >> This patch is mostly FYI, so yes, I do given that multiple mailing >lists have >> some interest. > >It's all about trade-offs. Multiple people have said multiple times >that PR's are the best way to work with OpenSSL. If those other >groups, individually or collectively, are higher on your priority list, >that's fine. But do understand what's going on. > >> I'm still waiting on a reply ... I assume holidays are contributing >to the delay. >> However, openssl_tpm_engine is a DCO project, so that concern is >irrelevant >> here. > >Sorry, I'll push to get the bylaws made public, is that what you need? > >And no, it's not irrelevant. If this is ever going to appear in >OpenSSL, a CLA must be signed. > >-- >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
On Mon, Jan 02, 2017 at 08:50:24AM -0800, James Bottomley wrote: > On Mon, 2017-01-02 at 17:38 +0100, Kurt Roeckx wrote: > > On Sat, Dec 31, 2016 at 02:52:43PM -0800, James Bottomley wrote: > > > This patch adds RSA signing for TPM2 keys. There's a limitation to > > > the way TPM2 does signing: it must recognise the OID for the > > > signature. That fails for the MD5-SHA1 signatures of the TLS/SSL > > > certificate verification protocol, so I'm using RSA_Decrypt for > > > both signing (encryption) and decryption ... meaning that this only > > > works with TPM decryption keys. It is possible to use the prior > > > code, which preserved the distinction of signing and decryption > > > keys, but only at the expense of not being able to support SSL or > > > TLS lower than 1.2 > > > > Please submit patches via github. > > Um, that's not really possible given that openssl_tpm_engine is a > sourceforge project. I obviously didn't look at it and assumed it was for openssl, not some other project. Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
> Really, how? By pull request, you mean one against the openssl github > account so people subscribing to that account see it, I presume? For that to > happen, the tree the patch is against must actually exist within the account, > which this one doesn't. You clone the openssl git repo, create your own branch off master, apply the diffs you are mailing to the list, and commit/push and then make a PR. Yes it's a bit of work for you. But it then becomes near-zero work for anyone on openssl to look at it. > This patch is mostly FYI, so yes, I do given that multiple mailing lists have > some interest. It's all about trade-offs. Multiple people have said multiple times that PR's are the best way to work with OpenSSL. If those other groups, individually or collectively, are higher on your priority list, that's fine. But do understand what's going on. > I'm still waiting on a reply ... I assume holidays are contributing to the > delay. > However, openssl_tpm_engine is a DCO project, so that concern is irrelevant > here. Sorry, I'll push to get the bylaws made public, is that what you need? And no, it's not irrelevant. If this is ever going to appear in OpenSSL, a CLA must be signed. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
On Mon, 2017-01-02 at 17:53 +, Salz, Rich wrote: > > Um, that's not really possible given that openssl_tpm_engine is a > > sourceforge project. > > Sure it is. Really, how? By pull request, you mean one against the openssl github account so people subscribing to that account see it, I presume? For that to happen, the tree the patch is against must actually exist within the account, which this one doesn't. > You just find it easier to email patches. This patch is mostly FYI, so yes, I do given that multiple mailing lists have some interest. > This is now the second time you’ve been asked. > > And also, you had concerns about the CLA before. Have they been > resolved? If not you should probably stop. I'm still waiting on a reply ... I assume holidays are contributing to the delay. However, openssl_tpm_engine is a DCO project, so that concern is irrelevant here. James -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
> Um, that's not really possible given that openssl_tpm_engine is a > sourceforge project. Sure it is. You just find it easier to email patches. This is now the second time you’ve been asked. And also, you had concerns about the CLA before. Have they been resolved? If not you should probably stop. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
On Mon, 2017-01-02 at 17:38 +0100, Kurt Roeckx wrote: > On Sat, Dec 31, 2016 at 02:52:43PM -0800, James Bottomley wrote: > > This patch adds RSA signing for TPM2 keys. There's a limitation to > > the way TPM2 does signing: it must recognise the OID for the > > signature. That fails for the MD5-SHA1 signatures of the TLS/SSL > > certificate verification protocol, so I'm using RSA_Decrypt for > > both signing (encryption) and decryption ... meaning that this only > > works with TPM decryption keys. It is possible to use the prior > > code, which preserved the distinction of signing and decryption > > keys, but only at the expense of not being able to support SSL or > > TLS lower than 1.2 > > Please submit patches via github. Um, that's not really possible given that openssl_tpm_engine is a sourceforge project. James -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [PATCH 1/1] add TPM2 version of create_tpm2_key and libtpm2.so engine
On Sat, Dec 31, 2016 at 02:52:43PM -0800, James Bottomley wrote: > This patch adds RSA signing for TPM2 keys. There's a limitation to the > way TPM2 does signing: it must recognise the OID for the signature. > That fails for the MD5-SHA1 signatures of the TLS/SSL certificate > verification protocol, so I'm using RSA_Decrypt for both signing > (encryption) and decryption ... meaning that this only works with TPM > decryption keys. It is possible to use the prior code, which preserved > the distinction of signing and decryption keys, but only at the expense > of not being able to support SSL or TLS lower than 1.2 Please submit patches via github. Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev