Hello, The openssl foundation writes here: https://www.openssl.org/support/acknowledgments.html
"Please note that we ask permission to identify sponsors and that some sponsors we consider eligible for inclusion here have requested to remain anonymous."" and here: https://www.openssl.org/support/consulting.html[https://www.openssl.org/support/consulting.html] "Does your company use the OpenSSL toolkit and need some help porting it to a new platform? Do you need a new feature added? Are you developing new cryptographic functionality for your product? To every secret service, this must sound like music in their ears. They can potentially anonymously donate, and even hire the programmers to get "features" into openssl, similar to the situation with RSA. Please note that you as developers might not notice it, when you are hired to program a backdoor. It may be as simple as a client approaches you, asking you to "implement all Nist standards", and without thinking anything bad, you are putting something like Dual_EC into your library, thereby putting in a backdoor without noticing it yourself. If you want to know how great the interest of intelligence agencies is to manipulate encryption hardware, see this translated article from DER SPIEGEL: http://cryptome.org/jya/cryptoa2.htm[http://cryptome.org/jya/cryptoa2.htm] where it is revealed that the german secret service BND turned out to successfully own the majority of the shares of a major cryptographic hardware manufacturer and instructed the company how to manipulate their devices that BND could listen. The interest of the nsa in weakening crypto software is documented here in this New York Times article: http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?_r=0[http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?_r=0] So I think the openssl foundation should take some measures that perhaps may help to scare intelligence agencies away from openssl in the future. Could the openssl foundation add official rules that a) it is not accepting money from intelligence agencies or companies that work for intelligence agencies and that, if it turned out, a given money comes from intelligence agencies or a contractor of them, the openssl foundation will return the money, and that this applies even to all earlier donations. b) that developers of openssl are not allowed to do contracting work for intelligence agencies and companies working for intelligence agencies, and that if it turned out a developer had such contracts, he may no longer work for openssl, and that this applies also for earlier contracts of the openssl developers. c) that the names of all companies who hire openssl developers must be published in the open on the openssl homepage, and that this applies also for the companies who hired openssl developers earlier d) that the companies who make donations to openssl will be published in the open on the openssl homepage and that this applies also for the companies who donated to openssl earlier. e) and that donnations above a certain value, or a person donating very often is named publicly on the openssl website. If you incorporate these rules ito the openssl foundation, it may help to scare intelligence agencies away from openssl, since these agencies hate nothing more than publicity. Is it possible for the openssl foundation to do this? And by the way: Is there a book or something where one can learn the programming of openssl? I know a bit C++ and C and would be interested to look closer at the sourcecode. But I see that it is very large. Is there something that makes the entry in openssl programming easier? Best Wishes, Benjamin ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
