[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Travis CI MITM RCE
From: zugtprgfwprz () spornkuller ! de
Date: 2018-08-31 20:54:47
Message-ID: 810f5ba6-e779-ca5b-e853-47aaaff73cff () johannes-bauer ! com
[Download RAW message or body]
On 31.08.2018 17:52, Daniel Kahn Gillmor wrote:
> In nearly every case where we're talking about automated signature
> checking, the cost of shipping the public key instead of (or in addition
> to) the fingerprint is negligible. and shipping just the fingerprint
> introduces robustness and reliability problems for the signature
> verification.
Ah, fair enough. Thanks for clarifying this, you're making good points.
The robustness issue is indeed something I completely disregarded.
Luckily, we've already arrived at a point where keys can be as short as
hash values. Ed25519 keys are 32 bytes, i.e., the same length as a
SHA256 hash. So there's that :-)
All the best,
Cheers,
Joe
--
"A PC without Windows is like a chocolate cake without mustard."
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic