[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Travis CI MITM RCE
From:       zugtprgfwprz () spornkuller ! de
Date:       2018-08-31 20:54:47
Message-ID: 810f5ba6-e779-ca5b-e853-47aaaff73cff () johannes-bauer ! com
[Download RAW message or body]

On 31.08.2018 17:52, Daniel Kahn Gillmor wrote:

> In nearly every case where we're talking about automated signature
> checking, the cost of shipping the public key instead of (or in addition
> to) the fingerprint is negligible.  and shipping just the fingerprint
> introduces robustness and reliability problems for the signature
> verification.

Ah, fair enough. Thanks for clarifying this, you're making good points.
The robustness issue is indeed something I completely disregarded.

Luckily, we've already arrived at a point where keys can be as short as
hash values. Ed25519 keys are 32 bytes, i.e., the same length as a
SHA256 hash. So there's that :-)

All the best,
Cheers,
Joe

-- 
"A PC without Windows is like a chocolate cake without mustard."
[prev in list] [next in list] [prev in thread] [next in thread]