lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20190805145958.GA32726@kroah.com>
Date:   Mon, 5 Aug 2019 16:59:58 +0200
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     "Eric W. Biederman" <ebiederm@...ssion.com>
Cc:     Jiri Kosina <jikos@...nel.org>, linux-kernel@...r.kernel.org,
        Jonathan Corbet <corbet@....net>, security@...nel.org,
        linux-doc@...r.kernel.org, Thomas Gleixner <tglx@...utronix.de>,
        Mauro Carvalho Chehab <mchehab+samsung@...nel.org>
Subject: Re: [PATCH] Documentation/admin-guide: Embargoed hardware security
 issues

On Mon, Aug 05, 2019 at 09:40:21AM -0500, Eric W. Biederman wrote:
> 
> I skimmed this and a couple things jumped out at me.
> 
> 1) PGP and S/MIME because of their use of long term keys do not provide
>    forward secrecy.  Which can makes it worth while to cryptographically
>    factor a key or to obtain knowledge of a private key without the key
>    holders knowledge.  As the keys will be used again and again over a
>    long period of time.

Secrecy over a "long period of time" is not what is needed here.  6
months max is what I have seen, why would you need longer?

>    More recent protocol's such as Signal's Double Ratchet Protocol
>    enable forward secrecy for store and foward communications, and
>    remove the problem of long term keys.

And how does that work with email?  We need something that actually
works with a tool that everyone can use for development (i.e. email)

> 2) The existence of such a process with encrypted communications to
>    ensure long term confidentiality is going to make our contact people
>    the targets of people who want access to knolwedge about hardware
>    bugs like meltdown, before they become public.

Why are those same people not "targets" today?

And again, it's not long-term.

> I am just mentioning these things in case they are not immediately
> obvious to everyone else involved, so that people can be certain
> they are comfortable with the tradeoffs being made.

I know of no other thing that actually works (and lots of people can't
even get PGP to work as they use foolish email clients.)  Do you?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ