[gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Fri Feb 21 13:39:43 CET 2020

Andrew Aladjev commented:

> E.g., if you see an x.509 cert mentioning a public GOST DSA key, should you refuse to use it? If you don't trust the judgement of the CA that issues certs for GOST DSA keys, you probably shouldn't rely on that CA at all.

I see, you are talking about [MITM on all HTTPS traffic in kazakhstan](https://bugzilla.mozilla.org/show_bug.cgi?id=1567114), it was fixed by Google and Mozilla by [blocking national CA](https://venturebeat.com/2019/08/21/google-and-mozilla-block-kazakhstan-root-ca-certificate-from-chrome-and-firefox/). After that chrome and firefox with national CA almost stopped working. It provided a **great damage**, so government quickly removed this certificate and apologized.

This situation is another. I don't trust gost s-boxes because there is no information about their genesis. BTW there is a law in russia that can force any company to use another s-boxes provided by federal agency. They can provide strong or weak s-boxes.

> For Gnutls, having support for gost curves disabled by default seems like a reasonable and conservative choice to me.

Gnutls is not the only program depending on nettle. Why not to include same disabled by default option for nettle? I can provide patches to disable by default old abandoned algorithms like MD4, sh1, etc if required.

> TLS connections to government web servers? Client certs only, or also server certs?

It is a part of national internet project (cheburnet) with gost only cryptography and single national CA. All laws has already been signed. The only way to brake it is to use the power of default. If gost will be disabled by default in all software - cheburnet won't be turned on, because it will provide **great damage**.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942#note_292269234
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200221/f4678d91/attachment.html>

More information about the Gnutls-devel mailing list