lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <419737557.20150302090233@gmail.com> Date: Mon, 2 Mar 2015 09:02:33 +0100 From: Krisztián Pintér <pinterkr@...il.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] PHC status report Solar Designer (at Monday, March 2, 2015, 7:38:49 AM): > (I acknowledge that there are some scenarios, which > might become more common in the future, where the lack of cache-timing > resistance has practical security cost, too. And I'd like to thank > Krisztian for reminding us of these on several occasions.) let me remind you that the topic did not receive a whole lot of attention, and mostly met silence. if there was any discussion on the private forum, it would be useful to hear about it. the only reaction i can recall from the panel was Jeremi Gosney, and his rather peculiar remark of "Password hashing is not cryptography. Timing attacks are not a practical concern in password hashing, especially not with salted schemes." > Yes, Rig update was accepted and was considered along with other > submissions after that point, but Rig already ranked poorly by that time > and there was no policy to require panel members to reconsider their > assessment of a candidate whenever an update was received and accepted. > So bugs in the earlier version did affect the non-selection. after reading this five times, i'm still unable to find any meaning that would be acceptable. please explain me in what framework does that make sense? catena got a complete rewrite after a practical break. and it was still accepted. apparently, a bugfix in an implementation was not. this and other remarks from other panel members just make me more and more convinced that there is no rationale behind the decision, but only personal preference. the status report is only a patchwork to put something on the table. if it was down to a voting, i think we should see the results of that voting. why is it secret again?
Powered by blists - more mailing lists