Am Montag, dem 13.09.2021 um 09:38 -0400 schrieb Yaakov Selkowitz:
On Mon, 2021-09-13 at 08:56 +0200, Jakub Jelen wrote:
> On 3/18/21 4:10 PM, Ben Cotton wrote:
> > On Thu, Mar 18, 2021 at 10:06 AM Jakub Jelen <jjelen(a)redhat.com>
> > wrote:
> > >
> > > We need to strip these curves from upstream tarballs and it
> > > would be
> > > great to have this resolved (in either way) rather sooner than
> > > later.
> > >
> > The Brainpool curves are not approved for use in Fedora at this
> > time.
>
> Hi,
> I wanted to bring up this topic once more again as it was suggested
> that
> without hobbling the source tarball. I proposed the following change
> to
> libgcrypt to support build-time disabling brainpool curves and I
> wanted
> to double-check if this approach is legally acceptable:
Long-standing policy has been that anything which cannot be included
for legal
reasons must be stripped from the source tarballs, so no.
Well, are there any chances for legal to reevaluate the ability to ship
the Brainpool ECC within Fedora and/or RHEL?
Those curves are the IT-security recommendation and almost the de-facto
standard for cryptography in most of the European countries, especially
when it comes to the online functionality of the issued ID documents.
AFAIK, the implementation of Brainpool ECC in OpenSSL and OpenJDK has
been contributed by Oracle, and they claim not to use, nor violate, any
patented algorithms within their code.
Thanks,
Björn aka besser82