AssAccess was passed with no amendments

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

AssAccess was passed with no amendments

FooCrypt

Does OpenSSL have a policy stance on government enforced back doors ?

-- 

Regards,

Mark A. Lane   

Cryptopocalypse NOW 01 04 2016

Volumes 0.0 -> 10.0 Now available through iTunes - iBooks @ https://itunes.apple.com/au/author/mark-a.-lane/id1100062966?mt=11

© Mark A. Lane 1980 - 2018, All Rights Reserved.
© FooCrypt 1980 - 2018, All Rights Reserved.
© FooCrypt, A Tale of Cynical Cyclical Encryption. 1980 - 2018, All Rights Reserved.
© Cryptopocalypse 1980 - 2018, All Rights Reserved.







--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AssAccess was passed with no amendments

B. Meeker
the silence is deafening



On 2018-12-06 04:47, [hidden email] wrote:

> Does OpenSSL have a policy stance on government enforced back doors ?
>
> --
>
> Regards,
>
> Mark A. Lane
>
> Cryptopocalypse NOW 01 04 2016
>
> Volumes 0.0 -> 10.0 Now available through iTunes - iBooks @
> https://itunes.apple.com/au/author/mark-a.-lane/id1100062966?mt=11
>
> © Mark A. Lane 1980 - 2018, All Rights Reserved.
> © FooCrypt 1980 - 2018, All Rights Reserved.
> © FooCrypt, A Tale of Cynical Cyclical Encryption. 1980 - 2018, All
> Rights Reserved.
> © Cryptopocalypse 1980 - 2018, All Rights Reserved.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AssAccess was passed with no amendments

Michael Wojcik
> On 2018-12-06 04:47, [hidden email] wrote:
> > Does OpenSSL have a policy stance on government enforced back doors ?
> >
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of [hidden email]
> Sent: Friday, December 14, 2018 13:25
>
> the silence is deafening

"OpenSSL" doesn't have a "policy stance" on anything. It's a software package.

This is openssl-users, not openssl-official-opinions-of-the-OpenSSL-Foundation. Or openssl-political-discussions, for that matter.

I imagine many people who are subscribed to this list are not in favor of the legislation in question. However, that is not a subject pertinent to the list, and openssl-users remains valuable to its subscribers in large part because most of the traffic remains on-topic.

There are plenty of forums where people have expressed, and continue to express, their opinions of the Assistance and Access Bill. That includes numerous cryptography and security experts, and representatives of organizations which are active in those areas. Some random posts in openssl-users will not materially change the course or weight of that discussion.

--
Michael Wojcik
Distinguished Engineer, Micro Focus


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AssAccess was passed with no amendments

B. Meeker
Though you could infer my opinion, I was not trying to create a
political debate as you allude.  I'm sure many users would agree that
the A&A bill is profoundly relevant and "on-topic" considering OpenSSL
has an Australian developer.  I simply wanted a clear statement so I can
make an informed decision whether or not I should use OpenSSL in future
projects.  I now have my answer.  Thank you.

On 2018-12-14 14:49, Michael Wojcik wrote:

>> On 2018-12-06 04:47, [hidden email] wrote:
>> > Does OpenSSL have a policy stance on government enforced back doors ?
>> >
>> From: openssl-users [mailto:[hidden email]] On
>> Behalf
>> Of [hidden email]
>> Sent: Friday, December 14, 2018 13:25
>>
>> the silence is deafening
>
> "OpenSSL" doesn't have a "policy stance" on anything. It's a software
> package.
>
> This is openssl-users, not
> openssl-official-opinions-of-the-OpenSSL-Foundation. Or
> openssl-political-discussions, for that matter.
>
> I imagine many people who are subscribed to this list are not in favor
> of the legislation in question. However, that is not a subject
> pertinent to the list, and openssl-users remains valuable to its
> subscribers in large part because most of the traffic remains
> on-topic.
>
> There are plenty of forums where people have expressed, and continue
> to express, their opinions of the Assistance and Access Bill. That
> includes numerous cryptography and security experts, and
> representatives of organizations which are active in those areas. Some
> random posts in openssl-users will not materially change the course or
> weight of that discussion.
>
> --
> Michael Wojcik
> Distinguished Engineer, Micro Focus
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AssAccess was passed with no amendments

Viktor Dukhovni
> On Dec 14, 2018, at 5:42 PM, [hidden email] wrote:
>
> I simply wanted a clear statement so I can make an informed decision whether or not I should use OpenSSL in future projects.  I now have my answer.  Thank you.

This is not the right forum for that question.  The bill is too
new for a policy response to have been considered or agreed.

OpenSSL has committers from many countries.  OpenSSH also
has an Australian maintainer, have they published a policy?

I am sure there are Australian contributors to Linux, NetBSD,
FreeBSD, OpenBSD, Android, ...

Avoiding all taint from anything touched by Australia will not
be easy.
 
--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AssAccess was passed with no amendments

FooCrypt
Rather than going down the political or policy line, perhaps it may be prudent to discuss the technical solutions to testing the engine, regardless of the OS it is running on.

How does one validate and test the engines during / after compile to ensure their ‘trust’ ?



> On 15 Dec 2018, at 10:42, Viktor Dukhovni <[hidden email]> wrote:
>
>> On Dec 14, 2018, at 5:42 PM, [hidden email] wrote:
>>
>> I simply wanted a clear statement so I can make an informed decision whether or not I should use OpenSSL in future projects.  I now have my answer.  Thank you.
>
> This is not the right forum for that question.  The bill is too
> new for a policy response to have been considered or agreed.
>
> OpenSSL has committers from many countries.  OpenSSH also
> has an Australian maintainer, have they published a policy?
>
> I am sure there are Australian contributors to Linux, NetBSD,
> FreeBSD, OpenBSD, Android, ...
>
> Avoiding all taint from anything touched by Australia will not
> be easy.
>
> --
> Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AssAccess was passed with no amendments

FooCrypt
Just in time for xmas,








On 15 Dec 2018, at 11:19, [hidden email] wrote:

Rather than going down the political or policy line, perhaps it may be prudent to discuss the technical solutions to testing the engine, regardless of the OS it is running on.

How does one validate and test the engines during / after compile to ensure their ‘trust’ ?



On 15 Dec 2018, at 10:42, Viktor Dukhovni <[hidden email]> wrote:

On Dec 14, 2018, at 5:42 PM, [hidden email] wrote:

I simply wanted a clear statement so I can make an informed decision whether or not I should use OpenSSL in future projects.  I now have my answer.  Thank you.

This is not the right forum for that question.  The bill is too
new for a policy response to have been considered or agreed.

OpenSSL has committers from many countries.  OpenSSH also
has an Australian maintainer, have they published a policy?

I am sure there are Australian contributors to Linux, NetBSD,
FreeBSD, OpenBSD, Android, ...

Avoiding all taint from anything touched by Australia will not
be easy.

--
Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users






Regards,

Mark A. Lane


Be Protected, Get ….…..

The FooKey METHOD :

http://foocrypt.net/the-fookey-method


The common flaws in ALL encryption technologies to date are :


1. Typing on a  KeyBoard to enter the password
2. Clicking on the Mouse / Pointer device that controls the location of the cursor
3. Some person or device looking / recording your screen as you type the password
4. The human developing a password that is easily guess, or can be brute forced due to its length
5. Sharing the password with a third party to decrypt the data
6. Storing the encrypted data in a secure location so no unauthorised access can be made to either the key(s) to decrypt the data or the encrypted data itself
7. The Right Wing Policies of the Liberal Party of Australia, being forced into law so they can all make it to the xmas party…!


FooCrypt, A Tale Of Cynical Cyclical Encryption, takes away the above ‘BAD GUYS’ by providing you with software engineered to alleviate all the above.



© Mark A. Lane 1980 - 2017, All Rights Reserved.
© FooCrypt 1980 - 2017, All Rights Reserved.
© FooCrypt, A Tale of Cynical Cyclical Encryption. 1980 - 2017, All Rights Reserved.
© Cryptopocalypse 1980 - 2017, All Rights Reserved.



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AssAccess was passed with no amendments

Kyle Hamilton
In reply to this post by FooCrypt
Getting the key for any given communication from OpenSSL is definitely doable if you're not using an engine.  If you are using an engine, it may or may not be even possible.

In any case, maintaining that key once you have it is definitely out of scope of OpenSSL. As an app developer subject to that law, it is up to you to figure out a way to keep it available for compliance purposes.

I'm not part of the OpenSSL team, so I have no capacity to make a policy statement on their behalf.  However, I'm pretty sure that OpenSSL is not going to alter its API or its library design to make it easier for a bolt-on AusAssAccess module to be written that directly queries the state of the library or its structures.

That said, in the past it's been bandied about that an originating software package subject to the law could encrypt the symmetric key not only to the intended recipient, but also to a hardcoded compliance key.  A receiving software package subject to the law would have to modify its receipt process to store a copy of the symmetric key elsewhere when it first decrypted a message -- probably also encrypted to a hardcoded compliance key.

The downside is "what happens when that compliance key is compromised"?  (or, for that matter, if the compliance key is lost.)  And it will be compromised or lost, someday, some way.  That's the reason so many people have been against backdoors like this -- the security of the system is good, but the security of human beings tasked with maintaining the security of the system is nowhere near as good.

-Kyle H

On Fri, Dec 14, 2018, 18:20 [hidden email] <[hidden email] wrote:
Rather than going down the political or policy line, perhaps it may be prudent to discuss the technical solutions to testing the engine, regardless of the OS it is running on.

How does one validate and test the engines during / after compile to ensure their ‘trust’ ?



> On 15 Dec 2018, at 10:42, Viktor Dukhovni <[hidden email]> wrote:
>
>> On Dec 14, 2018, at 5:42 PM, [hidden email] wrote:
>>
>> I simply wanted a clear statement so I can make an informed decision whether or not I should use OpenSSL in future projects.  I now have my answer.  Thank you.
>
> This is not the right forum for that question.  The bill is too
> new for a policy response to have been considered or agreed.
>
> OpenSSL has committers from many countries.  OpenSSH also
> has an Australian maintainer, have they published a policy?
>
> I am sure there are Australian contributors to Linux, NetBSD,
> FreeBSD, OpenBSD, Android, ...
>
> Avoiding all taint from anything touched by Australia will not
> be easy.
>
> --
>       Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

On Fri, Dec 14, 2018, 18:20 [hidden email] <[hidden email] wrote:
Rather than going down the political or policy line, perhaps it may be prudent to discuss the technical solutions to testing the engine, regardless of the OS it is running on.

How does one validate and test the engines during / after compile to ensure their ‘trust’ ?



> On 15 Dec 2018, at 10:42, Viktor Dukhovni <[hidden email]> wrote:
>
>> On Dec 14, 2018, at 5:42 PM, [hidden email] wrote:
>>
>> I simply wanted a clear statement so I can make an informed decision whether or not I should use OpenSSL in future projects.  I now have my answer.  Thank you.
>
> This is not the right forum for that question.  The bill is too
> new for a policy response to have been considered or agreed.
>
> OpenSSL has committers from many countries.  OpenSSH also
> has an Australian maintainer, have they published a policy?
>
> I am sure there are Australian contributors to Linux, NetBSD,
> FreeBSD, OpenBSD, Android, ...
>
> Avoiding all taint from anything touched by Australia will not
> be easy.
>
> --
>       Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AssAccess was passed with no amendments

FooCrypt
Kyle

Anyone in their rights minds understands the dangers with government key escrow systems and governments requesting back doors or delaying the remediation of existing zero days, local and remote exploits so that they can utilise them for their own intelligence or law enforcement purposes.

From FooCrypt’s perspective, FooCrypt utilises OpenSSL as an engine calling the binary via an exec rather than calling a purposely built library from the OpenSSL source code. This has added security as it enables the end user to select an appropriate version of the engine that they have access to as per their own countries legal requirements around encryption software. FooCrypt is distributed on macOS platforms as a read only disk image, on linux and windows systems as a Debian package, and as a customised SOE in a read only bootable Live ISO file which can be burnt to an old fashioned DVD, and booted via a VM or on cut down hardware with no physical disk / network / bluetooth etc. The encrypted data objects can be sent via any messaging service / email / snail mail postage / fax / protocol / etc. Technically, if an end user, utilised the Live ISO on a blackbox system, with a deadman switch on the power, there is no way to ‘escrow’ they keys for anyone.

Not only is AssAccess an affront to the sanity of those who are left in Australia still managing to work in the encryption space since they criminalised encryption under the Defence Trade Acts additions of encryption into the Defence Strategic Goods Listing, it has been politicised by our degenerate LNP government with make believe claims that have no founding and belittles those with any technical understanding of the issues.

From a users perspective, end users should be able to ‘trust’ the encryption software they use and not have to deal with the perception of ‘back doors’ requested by Governments, which can’t be reported by those who are crunchy the code, as the Government is threatening them with a 5 year jail term and massive fines for disclosing the Governments attempts to circumvent security.







On 17 Dec 2018, at 17:32, Kyle Hamilton <[hidden email]> wrote:

Getting the key for any given communication from OpenSSL is definitely doable if you're not using an engine.  If you are using an engine, it may or may not be even possible.

In any case, maintaining that key once you have it is definitely out of scope of OpenSSL. As an app developer subject to that law, it is up to you to figure out a way to keep it available for compliance purposes.

I'm not part of the OpenSSL team, so I have no capacity to make a policy statement on their behalf.  However, I'm pretty sure that OpenSSL is not going to alter its API or its library design to make it easier for a bolt-on AusAssAccess module to be written that directly queries the state of the library or its structures.

That said, in the past it's been bandied about that an originating software package subject to the law could encrypt the symmetric key not only to the intended recipient, but also to a hardcoded compliance key.  A receiving software package subject to the law would have to modify its receipt process to store a copy of the symmetric key elsewhere when it first decrypted a message -- probably also encrypted to a hardcoded compliance key.

The downside is "what happens when that compliance key is compromised"?  (or, for that matter, if the compliance key is lost.)  And it will be compromised or lost, someday, some way.  That's the reason so many people have been against backdoors like this -- the security of the system is good, but the security of human beings tasked with maintaining the security of the system is nowhere near as good.

-Kyle H

On Fri, Dec 14, 2018, 18:20 [hidden email] <[hidden email] wrote:
Rather than going down the political or policy line, perhaps it may be prudent to discuss the technical solutions to testing the engine, regardless of the OS it is running on.

How does one validate and test the engines during / after compile to ensure their ‘trust’ ?



> On 15 Dec 2018, at 10:42, Viktor Dukhovni <[hidden email]> wrote:
>
>> On Dec 14, 2018, at 5:42 PM, [hidden email] wrote:
>>
>> I simply wanted a clear statement so I can make an informed decision whether or not I should use OpenSSL in future projects.  I now have my answer.  Thank you.
>
> This is not the right forum for that question.  The bill is too
> new for a policy response to have been considered or agreed.
>
> OpenSSL has committers from many countries.  OpenSSH also
> has an Australian maintainer, have they published a policy?
>
> I am sure there are Australian contributors to Linux, NetBSD,
> FreeBSD, OpenBSD, Android, ...
>
> Avoiding all taint from anything touched by Australia will not
> be easy.
>
> --
>       Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

On Fri, Dec 14, 2018, 18:20 [hidden email] <[hidden email] wrote:
Rather than going down the political or policy line, perhaps it may be prudent to discuss the technical solutions to testing the engine, regardless of the OS it is running on.

How does one validate and test the engines during / after compile to ensure their ‘trust’ ?



> On 15 Dec 2018, at 10:42, Viktor Dukhovni <[hidden email]> wrote:
>
>> On Dec 14, 2018, at 5:42 PM, [hidden email] wrote:
>>
>> I simply wanted a clear statement so I can make an informed decision whether or not I should use OpenSSL in future projects.  I now have my answer.  Thank you.
>
> This is not the right forum for that question.  The bill is too
> new for a policy response to have been considered or agreed.
>
> OpenSSL has committers from many countries.  OpenSSH also
> has an Australian maintainer, have they published a policy?
>
> I am sure there are Australian contributors to Linux, NetBSD,
> FreeBSD, OpenBSD, Android, ...
>
> Avoiding all taint from anything touched by Australia will not
> be easy.
>
> --
>       Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users