| 1 |
Hi, |
| 2 |
|
| 3 |
On Wed, 25 Oct 2017 02:40:58 +0000 |
| 4 |
"Robin H. Johnson" <robbat2@g.o> wrote: |
| 5 |
|
| 6 |
> At that point, and this is a serious proposal: |
| 7 |
> The package manager shall decide which hashes to check, but is |
| 8 |
> required to check at least one hash. The choice may be 'fastest', |
| 9 |
> 'most secure', or any local factor. |
| 10 |
|
| 11 |
Sorry to contribute again to the bikeshedding, but I'd really like to |
| 12 |
get one thought across here: |
| 13 |
Good security includes reducing complexity. Tough (as evident by this |
| 14 |
thread) it's a thought many people find hard to accept. |
| 15 |
|
| 16 |
I don't think this is most important in this discussion, but I feel |
| 17 |
it's something people should keep in mind also for other decisions to |
| 18 |
be made. |
| 19 |
|
| 20 |
This thread is going into a completely different direction and I find |
| 21 |
that worriesome. We have two non-problems ("what if secure hash X gets |
| 22 |
broken?" and "what if it's too slow? I haven't benchmarked, but what if |
| 23 |
it's too slow??") and people proposing increasingly complex solutions. |
| 24 |
|
| 25 |
If you do what you propose my worries aren't that any hash gets broken |
| 26 |
or that it's too slow. It's that some bug will chime in where in some |
| 27 |
situation no hash gets checked whatsoever. |
| 28 |
|
| 29 |
Having more than one hash is already unneeded complexity. Nobody does |
| 30 |
that. TLS signatures use one hash. GPG signatures uses one hash. Signal |
| 31 |
uses one hash. I'm not aware of any credible cryptographic product that |
| 32 |
feels the need to have multiple hashes concatenated. (The only real |
| 33 |
example I'm aware of is old TLS versions who chose to concat two |
| 34 |
insecure hashes - MD5+sha1 - which obviously wasn't the smartest idea |
| 35 |
either, but one can credibly say they didn't know better back then.) |
| 36 |
|
| 37 |
Having a situation where one can either check one hash or multiple and |
| 38 |
add configurability around that is another step of adding unneeded |
| 39 |
complexity. |
| 40 |
|
| 41 |
|
| 42 |
Also one more comment about the issue with potentially buggy Hash |
| 43 |
implementations: I feel this is a software testing problem rather than |
| 44 |
anything that should influence our package manager format or be tested |
| 45 |
at runtime. Add a self-test of hash functions with a large batch of |
| 46 |
test vectors that you can easily run. |
| 47 |
|
| 48 |
-- |
| 49 |
Hanno Böck |
| 50 |
https://hboeck.de/ |
| 51 |
|
| 52 |
mail/jabber: hanno@××××××.de |
| 53 |
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 |
Archives