Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 02 Apr 2011 06:00:40 +0200
From: klondike <klondike@...cosoft.es>
To: oss-security@...ts.openwall.com
Subject: Re: Closed list

El 01/04/11 20:03, Josh Bressers escribió:
> Initial members will have had to be a vendor-sec member (no exploders this
> time around). You must reply to this thread, in public (on oss-security).
> We want this to be very public, we have nothing to hide. You must have a
> public gpg key ID included in your reply. The new list will gpg encrypt all
> mail (it does accept plaintext messages though)
Will the list provide protection against rubber-hose cryptanalisys?, if
so, how? GPG as most other cryptographic software is vulnerable to it.
What about black-bag cryptanalysis?

Sometime ago I was taught that the best way to be sure a secret was not
known was not saying it, so if you, researchers, want to make sure your
PoC aren't abused do things properly, warn the vendors to upgrade the
product because of your security finding and avoid providing PoCs until
enough time has passed for you to be sure everybody has had a chance to
upgrade.

Any other solution can be easily flawed since you can't make sure I
won't buy/kidnap/kidnap relatives of/steal data from etc. on anybody on
such a private list.


Download attachment "signature.asc" of type "application/pgp-signature" (263 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.