Does anyone know if there's going to be any calls covering Message Security as proposed at https://wiki.openstack.org/wiki/MessageSecurity? I'd be very interested in listening in. Thanks in advance, Jeff FYI|PS: Dr. Rogaway is providing royalty free, irrevocable licenses for OCB mode in open source projects (http://www.cs.ucdavis.edu/~rogaway/ocb/license.htm). OpenSSL's grant can be found at http://wiki.openssl.org/images/6/66/OCB-patent-grant-OpenSSL.pdf. OCB is the most efficient AE and AEAD mode available (as far as I know). When operating in OCB mode, there's no need for combining privacy modes like CBC with integrity protections like HMACs; nor is there a need for key derivation functions to ensure key independence. Other AEAD choices include the usual suspects, such as CCM, EAX and GCM mode. But they are less efficient than OCB due to Dr. Rogaway's patent. And +1 for not choosing a mode like EAX Prime for message security like the smart grid ;) ---------- Forwarded message ---------- From: <gerrit2 at review.openstack.org> Date: Fri, Nov 29, 2013 at 12:55 AM Subject: [Openstack-security] [openstack/identity-api] SecurityImpact review request change Ic00009e635f81427ba909a9ce4ba168f14ff51df To: openstack-security at lists.openstack.org Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/40692 Log: commit b775259ef1c06884985521fbba7cabc30884565a Author: Simo Sorce <simo at redhat.com> Date: Wed Aug 7 14:16:28 2013 -0400 Key Distribution Server API for distribution of keys in support of: https://wiki.openstack.org/wiki/MessageSecurity#Key_Derivation SecurityImpact Change-Id: Ic00009e635f81427ba909a9ce4ba168f14ff51df