Ben:
> > Anyway, French laws aren't that specific. All they talk about is a
> > "key length", so even if you're right, Ben, I don't want to get into
> > trouble just because a pen pusher will have made the wrong assumption.
> > ;-)
>
> That's up to you, but I don't know _anyone_ who thinks that 3DES is more
> than 128 bit, in any meaningful sense. Well, not anyone who knows what
> they're talking about, anyway.
Hmm. As I said, my point is _not_ to start a holy war about 3DES's real
strength. I guess you're right in what you say, Ben. You're renowned
enough in the crypto/SSL field for me (and others) not to doubt about
what you say. But what I'm basically talking about here is _the law_.
The point is that _the French law_ says: "Thou shalt not use a keylength
greater than 128 bits". There's no room for interpretation, here. Even if
I invented my own cipher, no matter how rotten it might be (why not use
XOR ? ;-)))))) ), I simply wouldn't be allowed to use a 129 bit key ! It's
NOT debatable. Full stop. :-(
In fact the people I've been talking to at the "SCSSI" (the administration
which deals with Information Systems Security in France) have until now
been quite understanding and very helpful, but of course, as any other,
they are not supposed to take liberalities with the law.
The only way out for me, if there are too many problems compiling OpenSSL
without DES/3DES, would be to try to convince them that by properly
configuring it, I can prevent it from using 3DES (at least this is quite
easy when using it with Apache-SSL or Apache+mod_ssl).
I've got another question about 3DES and SSL: isn't the SSL protocol limited
to a 128 bit keylength ? If this is true, how is 3DES handled ? Is the 3rd
key only partially used ? Or is the "key1, key2, key1" scheme used ?
Thanks !
Regards,
Bruno
--
-- Service Hydrographique et Oceanographique de la Marine --- Service INF
-- 13, rue du Chatellier --- BP 426 --- 29275 Brest Cedex, FRANCE
-- Phone: +33 2 98 22 17 49 --- Email: [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
