Re: Archive signatures versus message digests
- From: Olav Vitters <olav vitters nl>
- To: Guido Trentalancia <guido trentalancia com>
- Cc: gnome-infrastructure gnome org
- Subject: Re: Archive signatures versus message digests
- Date: Fri, 16 Dec 2011 15:20:14 +0100
On Thu, Dec 15, 2011 at 04:51:02PM +0100, Guido Trentalancia wrote:
> Also consider that Redhat, being a supplier of systems to the US
> government, might have legal obligations towards it to use NSA or at
> least NIST certified cryptographic equipment instead of uncertified
> open-source software such as gpg (www.gnupg.de) that I had proposed to
> you as an initial affordable solution fit for purpose of many home users
> provided that gpg is in turn secure and provided that the algorithms
> being used are secure enough.
Why does it matter what Red Hat legal obligations are? I say it once
again: SHA256 is not there to provide security. GPG might be nice, not
doing it at the moment, will be done at some point in future.
> But if you really never heard anything like this before, then a good
> introductory article for the general public is the following one:
>
> http://www.bbc.co.uk/news/uk-england-gloucestershire-11475101
>
> Of course other algorithms can be invented and created if those provided
> at no cost by gpg do not suit your taste or if you can prove that they
> are faulty or too weak.
I suggest looking into practical security instead of your theoretical
stuff. Yeah GPG might have some added value. Practically speaking, with
the current infrastructure at GNOME, it will provide a _false_ sense of
security.
Please read https://lwn.net/Articles/467598/ to see how I work on
security. Fixing the bigger problems, instead of minor things like GPG
while leaving a big gaping door open.
--
Regards,
Olav
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
