[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 Aug 2018 22:54:47 +0200
From: zugtprgfwprz@...rnkuller.de
To: oss-security@...ts.openwall.com
Subject: Re: Travis CI MITM RCE
On 31.08.2018 17:52, Daniel Kahn Gillmor wrote:
> In nearly every case where we're talking about automated signature
> checking, the cost of shipping the public key instead of (or in addition
> to) the fingerprint is negligible. and shipping just the fingerprint
> introduces robustness and reliability problems for the signature
> verification.
Ah, fair enough. Thanks for clarifying this, you're making good points.
The robustness issue is indeed something I completely disregarded.
Luckily, we've already arrived at a point where keys can be as short as
hash values. Ed25519 keys are 32 bytes, i.e., the same length as a
SHA256 hash. So there's that :-)
All the best,
Cheers,
Joe
--
"A PC without Windows is like a chocolate cake without mustard."
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
