Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 Aug 2018 22:54:47 +0200
From: zugtprgfwprz@...rnkuller.de
To: oss-security@...ts.openwall.com
Subject: Re: Travis CI MITM RCE

On 31.08.2018 17:52, Daniel Kahn Gillmor wrote:

> In nearly every case where we're talking about automated signature
> checking, the cost of shipping the public key instead of (or in addition
> to) the fingerprint is negligible.  and shipping just the fingerprint
> introduces robustness and reliability problems for the signature
> verification.

Ah, fair enough. Thanks for clarifying this, you're making good points.
The robustness issue is indeed something I completely disregarded.

Luckily, we've already arrived at a point where keys can be as short as
hash values. Ed25519 keys are 32 bytes, i.e., the same length as a
SHA256 hash. So there's that :-)

All the best,
Cheers,
Joe

-- 
"A PC without Windows is like a chocolate cake without mustard."

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.