okay hello thanks for being here so early so I'm going to talk about gnutls and gnutls maintainer let's see if this works so gnutls is a TLS or

SSL library TLS and SSL or mutualx go it's the acronyms for for the same

protocol SSL was invented by Netscape a long time ago and standardized within the ITFS TLS there has been some changes in the protocol but not not very large changes so TLS is the security protocol used in HTTPS which you may be

familiar with so gnutls is like OpenSSL but the philosophy is to to strip away all the non TLS related stuff like smime like low-level crypto gnutls doesn't

provide AES encryption or similar it's just a TLS library so hopefully gnutls will be less bloated than OpenSSL still it would be nice to make things more modular but but at least it's smaller than OpenSSL the x509

stuff like OSSP is not supported either I'll talk about this later so so gnutls is part of the gnu project protected by Stahlman's GPL

shield and the copyrights is assigned to the FSF so they can protect us in if there are some problems in some some company takes gnutls and puts in some product and doesn't follow the license so the core library is the

lesser GPL version 2.1 we have been thinking about moving to lgpl version 3 but a lot of dependent or reverse dependencies on gnutls test that

still are using lgpl v version 2.1 so it will probably take some time before we can upgrade it the core library or the tools and the surrounding utilities are under the GPL v3 like the util gnutls and dash CLI

the command line interface there is also an extra library in gnutls called you know to lib gnutls dash extra which contains some right now it

contains minor things like L set O compression and it used to contain more things but we have remote things from it it used to contain the open PGP authentication but that has moved into the lgpl part so the majority of

the library is lgpl version 2.1 so gnutls depends on vernacochs lib gcrypt for low-level encryption in the latest stable branch it's possible to replace

lib gcrypt on a per encryption algorithm basis so if you want to plug in your favorite implementation of AES that's possible or if you want to use hardware assisted encryption that's also possible we're using libtason

1.1 for asm1 parsing it's a very small library written for gnutls it's I believe it's below 10,000 lines of codes which is fairly small for asm1 library and that's required for the x509 parsing

it's not used for any TLS protocol parsing for compression there is we support libset and lib LSO actually and the LSO L set O compression is not

standardized for TLS so it's a non-standard extension but we support it for for experimentation anyway that's part of the GPL v3 version 3 extra library there are bindings for guile the gnu lisp extension

programming language and C++ the C++ libraries or wrappers are not heavily used I haven't seen any large projects use them yet hopefully it will take up

there are some unofficial wrappers like Python as well I haven't used them myself they are out there as far as I know there are no Perl bindings so if anyone here is a Perl hacker there's a nice project for you there's

also a Windows installer built using the ming-wee cross compiler and the msis installer which are very nice tools to create Windows programs from

from Linux environment so some history about gnutls it's a eight-year-old project Nikos wrote it initially and was the maintainer for several years I

maintain it since I think 2005 or something like that because you know totally Nikos didn't have enough time to to work on it and Nikos is still around and is the largest contributor today besides myself there's

a fairly small development team over the time 15 people have been contributing patches to gnutls large patches so they had to sign copyright papers for the FSF that's fairly small number of people so if you're

interested to work on our security project it's a good chance to join the team so this this graph is from OLL on the code size so fairly stable increase of code I'd like to reduce that code at some point but still this

inevitable curve to just increase another way to increase the code would be to modulize things further that's something we'll do in the next branches

oops so another goal with gnutls is to have good documentation I talked with a lot of OpenSSL users that are frustrated with lack of documentation so gnutls has good there's a text info manual which can be read like just a

user manual or a programming manual there's also the GTK doc interface used by gnome for documenting libraries used by GTK and glib so we put a lot of

energy in in making things documented and if it's not documented it's not supported officially so so everything that is in gnutls has good documentation so some of the features you know in gnutls which you might not be familiar with you if you are familiar with TLS is gnutls supports

OpenPGP authentication so you can use your OpenPGP or gnupg key to authenticate yourselves to a server and vice versa the server can use a gnupg key to authenticate the server to you as a user it's an interesting

feature that I hope will be used more there is an Apache module that supports it so other features there's support for SRP authentication which is

if you are not using certificates but want to use a password instead you can use SRP it's a good way to authenticate TLS sessions with a password and

another TLS extension that has been published or standardized relatively recently is PSK it's it's TLS authentication with pre shared keys like if you have a static AS key or desk key you can authenticate the channel using that key another feature in gnutls has been the server name extension

which allows you to use multiple TLS servers on the same IP address which has been a problem in Apache with mod SSL for a long time that you have to use a unique IP per SSL site it's still of course you need the support

in the browsers but recent Firefox and Internet Explorer supports it gnutls also includes x5 line tools so you can create certificates CA sign them and parse certificate requests and so on so also working with the gnutls is

challenging from a patent point of view first of all the entire TLS protocol is patented it's patented by Netscape a long time ago fortunately

they are not doing anything with their patent so it's possible to make a free implementation of it and the RSA of course has been the historic problem with the RSA patent but there's always been free implementation of RSA

available the RSA patent has expired so it's no longer a problem the SRP patent is patented by Stanford they have actually released that as a free patent and encourage free implementation of it there are also

some rumors about other eCanSpeak patents that may apply to the SRP technology so some organizations are concerned with using SRP I know that the red hats gnutls builds disable all the SRP stuff in it and there's also an

authorization extension for TLS being defined actually it's been through four last calls in the ITF and it hasn't passed so far there's a last call for it right now and it might pass this time there is a patent on the

technology by the draft authors and it's not clear whether that license is free enough to be useful okay that I have some time left so I can take some

questions if there are any and I think the library isn't growing like

they say it's mostly tools and examples and self-tests there's a very large self-test part of gnutls and I think that's a big part of it I believe the library itself is below 100,000 so auxiliary code yep more

questions I don't have the license from Stanford ready or clear in my head

but they have been encouraging free implementation and they have been supplying the community with an implementation of SRP under a BST license as well so it looks like Stanford is not going to sue anyone but of course this is a patent area so you never know what happens to patents

the SRP patents that's more problematic is probably the speak or eek patents because they are owned by Lucent or some other components and but then it's a problem of thinking of whether that patent applies to this SRP technology

or not and that's that's lawyer territory so it's it's difficult to answer but I believe the Stanford patent grant is is fine that's the best we can hope for any more questions yep yeah so so we have had I think five

or six security announcements for you know tell us and some some have been okay I can answer that in the break