Date: Sat, 02 Apr 2011 06:00:40 +0200 From: klondike <klondike@...cosoft.es> To: oss-security@...ts.openwall.com Subject: Re: Closed list El 01/04/11 20:03, Josh Bressers escribió: > Initial members will have had to be a vendor-sec member (no exploders this > time around). You must reply to this thread, in public (on oss-security). > We want this to be very public, we have nothing to hide. You must have a > public gpg key ID included in your reply. The new list will gpg encrypt all > mail (it does accept plaintext messages though) Will the list provide protection against rubber-hose cryptanalisys?, if so, how? GPG as most other cryptographic software is vulnerable to it. What about black-bag cryptanalysis? Sometime ago I was taught that the best way to be sure a secret was not known was not saying it, so if you, researchers, want to make sure your PoC aren't abused do things properly, warn the vendors to upgrade the product because of your security finding and avoid providing PoCs until enough time has passed for you to be sure everybody has had a chance to upgrade. Any other solution can be easily flawed since you can't make sure I won't buy/kidnap/kidnap relatives of/steal data from etc. on anybody on such a private list. Download attachment "signature.asc" of type "application/pgp-signature" (263 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.