OpenSSL Communities

June 2025 meeting minutes (Foundation BAC)

JE Jon Ericson Public Seen by 9

Foundation BAC meeting (June 24, 2025)

Attendees:

  • Nicola Tuveri - Academics

  • Paul Dale - Committers

  • Dmitry Belyavsky - Distributions

  • Randall Becker - Individuals

  • Tim Chevalier - Large Businesses

  • Matt Caswell

  • Tomas Mraz

  • Jon Ericson

  • Using ML-KEM with old (pre-3.5) FIPS providers (Dmitry)

    • See: https://github.com/openssl/openssl/pull/27728

    • fips=yes is a hack. Encoders and decoders are outside of the FIPS boundary, but cryptographic algorithms are not. (Paul)

    • This is not FIPS validation and could be confusing for users who don't know that. (Tomas)

    • Is it a desirable feature to support at all? (Matt)

    • Paul concerns about this particular implementation, but thinks it’s a good idea to support.

    • Foundation focus on non-commercial communities (Matt)

      • FIPS might give non-commercial a good feeling, but provide no value. (Randall)

      • Red Hat wants to make sure that FIPS can work on Fedora. (Dmitry)

      • May change our mandate/scope if we consider precursor projects. (Randall)

    • Let Corporation take the lead (Matt)

    • TAC should decide how it should be done (Paul)

    • No objections to implementing it, but it might not be a Foundation priority

  • OpenSSL Conference (Jon)

    • The BAC will be on the program committee and will be able to vet submitted talks. More details to come. (Jon)

    • Face-to-face meetings? (Matt)

    • Not all of the BAC will be able to make the conference, but Matt will find a time for those who can.

  • Communities platform best practices (Jon)

  • OpenSSL Open hours (Matt and/or Jon)

    • Proposal: submit a form so that we don’t need to sit around waiting for someone to show up. (Jon)

    • Fixed time, but cancel if there is no agenda (Dmitry)

  • Formally verified crypto implementations/Memory-safe language rewrite (Rust, Zig, etc) (Nicola)

    • Academic community is interested in potential plans for verified crypto and/or memory-safe rewrite

    • Dmitry also gets questions about these items

    • The Foundation has no plans, but we aren’t categorically against these ideas. The BAC should consider them in the list of priorities. (Matt)

    • “Competitors” are moving in that direction. Is there a risk to the project in not pursuing these goals? (Nicola)

    • Maybe a hybrid approach that rewrites parts of OpenSSL in Rust or whatnot. (Matt)

    • Project starts a fork that implements a subset of the functionality that is written in Rust. (Tomas)

    • OpenSSL will build and run on virtually any platform that’s around. Is there an LTS commitment? It’s a very big question. (Randall)

    • Is there a risk that memory-safe could be mandated in the future? (Nicola)

    • Staff developers might allow this to be possible. (Randall)

    • Formally verified stuff can be done incrementally and by anyone (Matt)

    • Example: GitHub - ericmercer/sha3-verification: SAW Verification of OpenSSL's SHA3 Implementation (Tim)

    • Can we just provide the framework (Matt)

    • Memory-safe languages also have potential problems (Dmitry)

    • Can we achieve memory-safe using C? (Randall)

    • There is memory-safe C, but it's slow. (Tomas)

  • AOB

    • Reconsider LMS verify. Oracle and Cisco are interested. Signing is unsafe, however. (Paul)

      • This is also an interest to the academic community too. (Nicola)

      • Light weight and avoids new PQC mathematics (Paul)

      • Implementation just needs a final review (Paul)

      • Tim wanted LMS from the get go.

      • All in favor so Paul should raise the PR

    • Should the BAC have a panel or other presence at the conference (Nicola) 

    • We are hiring a C engineer

Action items

  • Submit a PR about LMS verify (Paul)

  • Set up a form and possible time slots for open hours (Jon)

  • Add memory-safe and formally verified to the priority list (Jon)

  • Open a thread on the communities about BAC involvement at the conference (Nicola)

  • Find a time for a face-to-face meeting around the time of the conference (Matt)