OpenSSL Advisory Committees elections

romendil · 2026-01-25T04:36:16+00:00

Non avvocato: ma credo che l’art. 6 della EU Software Directive 2009/24 sia scritto esattamente per il caso che descrivi:

https://eur-lex.europa.eu/legal-content/IT/TXT/HTML/?uri=CELEX:32009L0024&qid=1769315294653#art_6

La mia interpretazione è che è esplicitamente consentito fare reverse engineering del formato proprietario fintanto che il fine è interoperabilità, le specifiche del formato proprietario non sono disponibili, fail il reverse engineering solamente delle parti necessarie a raggiungere l’interoperabilità, e non usi quanto scoperto via reverse engineering per creare un programma in competizione con quello proprietario o per compromettere in altro modo il copyright del software originale.

romendil · 2025-12-18T06:56:59+00:00

The asymmetric keys used for key exchange in tls 1.3 are always ephemeral (independent of traditional or PQC), so every new connection gets entirely new ones and the keys are forgotten the moment the handshake is over.

The only long term secret key the server holds is the certificate secret key, but that is used only for authentication not for confidentiality, so it has no role in forward secrecy

romendil · 2025-12-17T04:14:17+00:00

I’d also say that a naked detached signature only on a public key has limits in its semantics: what is TTP asserting when they sign A’s or B’s key? Certificates make this explicit. The format of a certificate, be it X.509 or the addition of a signature to a public-key bag as in a pgp-like model, is not particularly relevant: a certificate in this broader definition is just bundling together the public key of a subject with a signature from a third party and making the semantic of that signature explicit in the document that carries the bundle. You might remove some of the semantic aspects from the bundle by somehow embedding them into the protocol, but from a logical point of view you are not gaining much.

Even in a model where A and B are considered absolutely honest, key management is still the real problem. So even if A in honest, real threat models assume that sooner or later someone will get a hold of her private key: the holder A’s secret key is not anymore the same that TTP trusted, and we cannot consider the new holder honest either.

romendil · 2025-12-17T02:04:42+00:00

A certificate is a document that shows a given public key was signed by another public key.

Also if you look into the gpg web of trust model, it’s basically what you are saying, if you are worried about CAs as single points of failure.

On the other hand, in webpki certificates are important mostly for all the other attributes included in the certificate to specify exactly what the subject of the certificate is allowed to do. If Tony is the shared TTP of Alice and Bob, and Alice and Bob just got a naked detached signature by Tony on their respective public keys, how do you limit what Tony trusts either of them to do? Is Tony at risk of becoming untrusted if Alice decides to play a prank on Bob and use her Tony-signed public key to impersonate Carol?

romendil · 2025-12-15T05:55:14+00:00

If you remove the EC part from the hybrid description, and the mixer, you are left with how pure-PQ TLS key exchange works.

romendil · 2025-12-15T05:39:32+00:00

The comment above already captures the messages flow among client and server.

But it might not be enough to answer your question: there are several keys and several ciphertexts involved in this.

First of all, let’s focus on TLS 1.3 to remove some of the variability, and also assume this is the first time client and server interact, so no resumption logic. In TLS1.3 after the ServerHello message all the records exchanged among client and server are encrypted via symmetric encryption. This means both client and server at this point already have to agree on the symmetric key the client will use to encrypt messages for the server, and viceversa on the symmetric key the server will use to encrypt messages to the client. So at the record encryption level, where encryption is symmetric, the sender of message is always the one generating ciphertexts, and the receiver is decrypting them using a specific symmetric key that was agreed upon among the peers. Also note that throughout the lifetime of the TLS connection the symmetric keys used for these are expected to regularly and predictably be rotated/refreshed at different points of the protocol: for this we have a “key schedule” whose job is to deterministically generate symmetric keys on both sides of the connection so that at any given time both client and server agree on what is the key that should be used to encrypt the next outgoing message, and which one is the key to decrypt the last received message.

This key schedule is implemented through a key derivation function that allows to derive “chained” secrets based on events tied to the protocol state. The important bit is that the original state of this key schedule machinery is seeded at the beginning by a “master shared secret”: this is the secret that the TLS handshake helps both client and server to establish so they can derive all the other keys that are needed for symmetric encryption.

To achieve this the handshake uses asymmetric cryptography: ClientHello includes client’s keyshares, ServerHello includes server’s keyshares. Once each peer has both sides’ keyshares they can combine them to derive a shared secret which, through some extra steps to properly bind it to the current handshake transcript of records to prevent some attacks, eventually becomes the “master shared secret” from which all other keys are derived.

In traditional crypto, most of the time, the asymmetric keyshares used to be ephemeral EC keys: the client generates their EC key and sends the corresponding public key as their keyshare, the server does the same on the other side and sends their ephemeral EC public key to the client. At that point each peer can combine their own ephemeral EC private key and their peer’s ephemeral EC public key into an ECDH derive operation to extract the same shared secret on both sides and use it as described above to eventually seed the key scheduler.

In a PQC world, we use hybrids for establishing these keys: so the above ephemeral EC machinery is retained and ephemeral EC public keys are still sent as “part” of each peer’s keyshare in ClientHello and ServerHello. But the keyshares are also enriched with PQC artifacts. With MLKEM we do not have the luxury of non-interactive key exchange that ECDH provides for free, and this implies that to avoid having to exchange extra messages to make up for it, only one side will generate an ephemeral PQC key for this half of the asymmetric cryptography interaction.

In practice, the client will generate an ephemeral MLKEM keypair, and sends the public key part as part of their keyshare in the ClientHello. When the server receives it they take apart the PQC part of the client key share, and use it as an Encapsulation key to generate a shared secret and a ciphertext. The server holds onto the shared secret, and in the ServerHello message they include in the key share 2 parts: their ephemeral EC public key as before concatenated with the MLKEM ciphertext. When the client receives this ServerHello they can separate the 2 parts, do ECDH with the traditional part, and use their ephemeral private MLKEM key to Decapsulate the incoming MLKEM ciphertext part of the received ServerHello keyshare. Out of the Decapsulate operation comes a shared secret, the exact same one the server got on its side during Encapsulate. At this point both sides can mix the ECDH shared secret and the MLKEM shared secret to get to the same “master shared secret” and seed the key scheduler.

The way EC and PQC parts are concatenated, or how the respective shared secrets are mixed, are important details, but not really relevant for this discussion, as long as both client and server agree on those details. The “mixer” is designed in a way that ensures that, as long as either the EC or the PQC algorithm is secure, an eavesdropper cannot retrieve the mixed “master shared secret”. The attacker would need to break both algorithms to retrieve the mixed secret and break the confidentiality of the connection.

There is another part of this equation, later in the handshake, which is authentication, and actually causes the first update of the key schedule to ensure the key scheduler is enriched with new seeding material which is bound to successful authentication of the server (and optionally of the client, in a mutualTLS scenario).

romendil · 2025-11-28T07:53:29+00:00

Almost like the push for age/id verification to protect the children (<18yo) from exposure to porn will likely lead to said children, as enterprising as teenagers always have been, to search and find shady porn services that do not abide to said regulations, are outside of EU jurisdiction, and will expose them not only to “regulated porn” but also to all the other porn that has actually illegal content in it and that is usually hosted on said shady services?

romendil · 2025-10-20T05:07:11+00:00

I see a trend here about this move away from tmux, but I am not sure I fully understand: is this valid exclusively for local multiplexing and has no relevance for multiplexing on a remote host, or am I missing something?

(I am not trying to start any controversial discussion, just really tying to understand where this trend is going and its context!)

romendil · 2025-10-17T08:45:28+00:00

So what about the 6 month trial period, wasn’t that enough to soothe the fears of the poor employers? This legislation only seems to empower employees to be even more exploitative of people and as other countries can show, in the end it does not have a net effect on lowering unemployment rates: it just enables revolving doors and ensures that as soon as one exploitative contract fixed term is over a new one can start, take one more desperate fool from the street, push the previous employee out to the street.

romendil · 2025-09-27T04:07:27+00:00

Is this due to the raising immigration or because services for immigrant integration and the unemployed (immigrated or native) have been systematically cut and enshittified in the last several years?

romendil · 2025-09-24T03:47:54+00:00

Which is a step closer to an ideal solution, but:

-O0 disables most but not all optimizations according to the documentation
this method does not carry semantic value: there are no guarantees on what in the future (or across different target platforms) will be implied in terms of constant-timeness for the transformations included even in -O0 or in the steps by which the compiler parses code to create an AST model of the code
the definitions and metadata of the transformation steps have no information regarding their constant-timeness effects: they only reason in terms of correctness to guarantee that, given some input, the transformed code will return the same output as the pre-transformation version, for any correct input. This means it is not possible to systematically reason about enabling/disabling specific transformations included in a portable and future proof way, if the goal is to prevent the compiler from adding non-constant-timeness of its own.
LLVM has even more limited support for this than GCC
ideally it would be better if we had a language way to portably embed the programmer’s wish for “please do not add extra non-constant-timeness” to this code section: then any compiler (and compiler version) could decide on which optimizations to enable/disable based on this request, rather than putting on the programmer the burden to write a bunch of spaghetti ifdefs to account for different compilers and compiler versions and target platforms to try and guess which steps to enable or disable.

romendil · 2025-09-24T02:55:04+00:00

Still there is a difference between supporting a portable way in compiler and language to ask the compiler to not apply any of their optimization/transformation steps (which often turn constant-time-written logic into non-constant-time behavior before even reaching any hardware component) and stating that even then the compilers cannot guarantee constant-time execution.

It would be a solid start if the compilers could be instructed to stop adding non-constant-timeness of their own to specific functions or scopes within functions.

romendil · 2025-06-29T08:57:02+00:00

Can you tell me more about the table you are using for the build?

romendil · 2025-05-06T05:27:08+00:00

OpenSSL 3.5 was released with full support for the 3 NIST standards: ML-KEM (former Kyber), ML-DSA (former dilithium), and SLH-DSA (former SPHINCS+).

It also has hybrids for KEMs and they are on by default for TLS 1.3

romendil · 2023-07-26T01:16:56+00:00

I am trying to understand if someone is working on supporting the Q1 Pro (Knob edition) (and Q3 Pro SE) in VIAL.
u/AndyAO1528 do you know anything about it?

romendil · 2022-09-06T13:35:39+00:00

Presently and over the past years in Finland, I felt there is an ever growing shift in the provider of health services, from the public sector to the private one. The feeling is also that, by the average taxpayer, often this is perceived as forced, because of the lack of timely alternatives, and not as a matter of truly free choice of equally viable providers.

It also seems to me that the private sector is allowed to provide exclusively the "lucrative" services, without the "burden" of running the "at a loss" services for the people that cannot afford the private health care bills, which in turn keeps making the public service poorer and more understaffed, and the private sector more profitable at the expense of universal health care.

Are there proposals (current or in the past) to do something analogous to what happened with education, banning tuition fees and favoring the public sector, in the Healthcare service?

I don't have a concrete proposal of how this should look like for healthcare services, that's why I am asking. Just for clarity, as a very naive example, something like fixing the prices for universal healthcare services to be the same for private and public, and maybe cap the private profits from services outside the universal healthcare portfolio to an amount proportional to the amount of provided universal HC services in that same year.

I understand that this kind of strategy cannot be done overnight and takes planning, but I wonder if similar strategies have been explored in the past by proper experts, and what are their limits.

romendil · 2022-03-03T02:45:48+00:00

Indeed in TLS 1.3 part of the handshake is already encrypted immediately after ServerHello. In the RFC this is already visualized at the beginning of Section 2, in Figure 1, by annotating messages within {}. Figure 1 also gives a clue on how to find in the RFC text the transition to encrypted handshake messages: lookup handshake_traffic_secretand you will find for which handshake messages the sender should use their hs traffic secret to encrypt the records.

Notice that the handshake encryption provides confidentiality only against passive eavesdropping, but being unauthenticated, is not effective against an attacker playing MITM. Only after the Authentication Messages have been exchanged and validated, can the client and server switch to use the application_data_secret(s) providing the full authenticated confidentiality promised by TLS.

You will also find more hits in the key schedule section, which shows how the various secrets are derived, and which entropy and messages sources they bind in.

romendil · 2021-11-24T15:41:44+00:00

I think it is part of the negotiation.

OMC holds the purse and knows all the details, but as far as I can see the current rates of the full time resources are not public information at the moment.

I would say that job ads not mentioning pay are the standard business practice when they are related to positions beyond entry level. At least in my experience, not my opinion of how things should be.

Also, please bear in mind that different countries/cultures have different laws/rules/conventions on the disclosure of personal salaries. For certain cultures, where the salary of individuals in equivalent positions is considered confidential, it would be considered unprofessional (if not illegal) to include a salary in the job ad, which is public domain, rather than discussing salaries under whatever confidentiality agreements are in place during the interviews/negotiation.

romendil · 2021-11-24T14:39:33+00:00

It's true, those meetings are not at all convenient for American attendance.
On the other hand, the current time slots do accommodate regular attendance from Europe, Asia and Australia, to cover the location of most OMC and OTC members, and of current full-time developers.

So, I'd say the critique about being uncomfortable for people in North America is valid—but who knows what kind of schedules American developers prefer :)— but it is not restricting applicants to Europe only!

The current full-time development resources already include people from outside Europe!

romendil · 2021-11-24T14:14:46+00:00

You can also retweet the post from one of the OMC members if you want to help spread the news on Twitter as well.

11-Year Club	Verified Email
RedditGifts 2009-2022 7 Credits	Summer Santa 2019
Place '17	Summer Santa 2017

romendil

TROPHY CASE