[gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Fri Feb 21 21:01:46 CET 2020

Andrew Aladjev commented:

> So, how does certification of proprietary software correlate to open source projects? They will never be certified, believe me. Even OpenSSL's gost engine (developed by CryptoCom) can not be certified. This is the significant difference from FIPS certification (where one can certify software after it has been developed).

It is dangerous to start using gost. Foreign developers should know that all international cryptography standards has no power in russia. RFCs about cryptography are just funny papers. There was a [try to allow international standards](https://safe.cnews.ru/news/top/medvedev_poruchil_putinu_otkryt_dorogu) in russia, but it failed. After licensing process your gost support become a black box without access. Licensing is required for almost all activities except personal. Gost is not a good algorithm, it is just the only one allowed for national usage.

There is no guarantee that russian proprietary software will support any other S-box, but there is a proven fact that there are weak S-boxes. You can use gost outside russia if unknown genesis of S-boxes from RFC is ok for you. But please let all post-USSR country users to disable it.

> Niels was talking about binary compatibility between Nettle builds, if I got him right. On top of that support for GOST R 34.11-94 hash algorithm was added in Nettle 2.6. So Nettle contained gost28147 code for ages.

I am completely agree with you and Niels about that. All old algorithms like MD*, SHA-1 and maybe some gost parts should not be removed and stay for historical reasons and compatibility.

But please sanitize all new gost functions with `IF_GOST` and `WITH_GOST`. These functions are not a part of any existing nettle release. I've already provided a patch. Thank you.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942#note_292541149
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200221/6a213907/attachment.html>

More information about the Gnutls-devel mailing list