[Cryptography] OpenSSL CSPRNG work
Theodore Ts'o
tytso at mit.edu
Fri Jun 30 11:45:02 EDT 2017
On Thu, Jun 29, 2017 at 04:54:15PM +0100, Darren Moffat wrote:
> In addition to the performance concerns and platforms (yes people really do
> run modern OpenSSL, often bundled with layered software) on a 10 year old
> OS) OpenSSL needs to have its own DRBG inside it's own libraries for FIPS
> 140 validation reasons. For the FIPS case the only answer is having its own
> implementation of a NIST approved DRBG.
As I've told Rich, if he wants to focus narrowly on cryptographic
security issues and not worrying about whether the OS is so badly
riddled with countless known security bugs and even more zero-day
attacks that haven't been made known yet, that's __totally__ up to him
and the OpenSSL team.
Personally, I think thats a silly thing to worry about, and I wouldn't
consider it a great use of resources to support. Even if there are
crazy people who do that.
Also, I personally don't care about FIPS as I view that as a hopeless
waste of taxpayer dollars to enrich FIPS certification labs. I know
that people feed at the US Government Trough need to worry about it.
I'm just thankful I'm not part of that racket. How much effort
OpenSSL volunteers want to spend working on that use case, is again,
their decision. If *I* were on the core team, I'd probably say that
patches would be accepted, but FIPS certification support is not
something I'd ask volunteers to work of their own free will. But
again, that's up to other people to decide.
Cheers,
- Ted
More information about the cryptography
mailing list