[PATCH] MD2 for libgcrypt
Stephan Mueller
smueller at chronox.de
Tue Jul 20 10:09:17 CEST 2010
Am Dienstag 20 Juli 2010, um 09:11:08 schrieb Werner Koch:
> On Mon, 19 Jul 2010 21:11, dkg at fifthhorseman.net said:
> > Are the patches rejected due to poor implementation? due to licensing
> > reasons? or due to a desire to not ship the MD2 functionality in
>
> The MD2 things comes up every few years and we have always rejected it.
>
> For one the legal state of the algorithm is not clear: It is likely that
> it has been taken from the RFC which has a non-commercial clause. In
> this regard it is similar to arcfour. The GNU project is very
> cautiousness on these issues and thus we would need to clear the legal
> state first (meaning long dicussions with RSA Inc). I don't think this
> is justified. And of course we need a copyright assignment and code
> which is clearly not based on rfc 1319.
>
> The other reasons is that I don't want to keep those old certificates
> alive. They should have been abolished a long time ago. IMHO there is
> no good reason to use them (Sorry, Stefan). Getting certificates for
> S/MIME is not hard and actually pretty cheap these days.
I know, but tell that to my counterparts!
>
> A counterpoint would be that the whole X.509 PKI business is entirely
> broken and does not provide any security at all. You only need to look
> at a few of the implementation problems identified in the last years.
> Thus why not add support for it - it won't make it worse. But see the
> first point.
>
Ok, may I then ask that you add a pointer to my patches in your documentation
(I will give you the URL of my web page which will also contain a polished
version of the patches)? I just want people to give a chance using gpgsm when
they need to rely on MD2.
Ciao
Stephan
--
| Cui bono? |
More information about the Gcrypt-devel
mailing list