[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: gnupg

-----BEGIN PGP SIGNED MESSAGE-----

On 6 Jul 1998, James Troup wrote:

>We are switching to FHS; all packages have to be uploaded again
>anyway.  Duh.

    ?  Is something inherent in dpkg going to be affected by FHS?
Certainly not all packages have files in directories that have been
changed between FSSTND and FHS...


[signing GPG output]

>Rubbish, try it and see.  It works fine.

    Hm.  So it does.  
    Odd.  I distinctly remember having tried something similar with PGP
and having had to move a section of stuff outside the signed message.
Ah well.  My fault for not having tested it.


[improbable key substitution attack]

>And in fact has SFA to do with this discussion, since it's a
>``security hole'' every time we add a PGP key to the keyring.

    Really?  Developer A wants to upgrade his 768-bit key to a 2048-bit
key.  Taking his 768-bit key, he signs his newly created 2048-bit key,
extracts it, and sends it off to tester B.  Intruder C can then do what?
Generate a new 2048-bit key?  Signed with what?  Itself?  It won't be
signable with the 768-bit key, since C doesn't have that secret
component.
    

>Complete and utter rubbish.  Don't confuse your delusions with the

[...]

>More complete and utter rubbish; I'm already involved in kerying

    ??  Okay, I need to check the archives again.

    ...

    Conceded.  I must have misread something the first time around (I do
read the policy list).  Not sure where I got the impression, but I have
a memory of thinking that it seemed a rather reckless conversion.  Upon
checking the archives, I can find nothing to substantiate that
impression.  
    For the moment, I'll pass it off as a stress-related memory problem 
combined with an inherent distrust of completely new security software.
I'll ask you to hold off on the "delusional" bit, though, until my
doctor agrees and puts me on medication.


>Please come back when you have something valid to say.

    Well, then, I apparantly owe you an apology for having been wrong on
two counts and having spoken before testing the software.  I'd like to
maintain the following, though:

    1) I think the transition period isn't going to go as smoothly as
       you think, and I hope this is accounted for.
    2) My understanding of Tiger and Blowfish is that they are
       mathematically sound but not well tested, and that bothers me.
       If you can point me to a document citing otherwise, let me know.
       I'll grant that for the purposes of the project it's more
       important to shift to something free.
    3) Your fuse is too short.  It would have taken half the time to
       reach this point if you had managed to keep a professional tone.
       (the skin is thick, not impermeable)


>[ Oh, and please stop Ccing me, I read debian-devel, I don't need your
> 10kb mails twice ]

    Noted for future use.

=============================================================================
 Zed Pobre <zed@va.debian.org>  |  PGP key on servers, fingerprint on finger
=============================================================================

-----BEGIN PGP SIGNATURE-----
Version: 5.0
Charset: noconv

iQEVAwUBNaAIeNwPDK/EqFJbAQGaIwf8CKWlnIoAlSGUwAQUSj0Y3SfefUUqoJCl
ErF+i4GYfoyPjaUNqHFCMIebPv0doGPuaJzv7Zlz/wfX9AA+CSv1NLWtXnEzuyXh
lAvh58CaCKyU96Yusf5x0RtlWrSrQOzM0N09ORLvEZmCQKaZRgfrOR8EEfT4NUGj
pIZbAWs3CddeCxfd2IKbv0A2TPn736nWBQyw4i+pX4wwBtT7ARJYIBBMj2fBZUXy
10mExhi1QuIRne9wWk/x2/HRBBcOjWL+3Q8/ib9RkJc6WFnbrP9IqmvzL390Wqrm
6admTTsi6kmjN/lVdxPDrSclhjv9H+pAb65JVgqDYZ/+2+HifLupAQ==
=PNA7
-----END PGP SIGNATURE-----


--  
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: