1 |
>>>>> On Tue, 05 Apr 2022, Jason A Donenfeld wrote: |
2 |
|
3 |
> Huh. Something not brought up there or https://bugs.gentoo.org/784710 |
4 |
> is the fact that the _security_ of the system reduces to SHA-512 as |
5 |
> used by our GPG signatures. |
6 |
|
7 |
The hash algorithm would be the least of my concerns about the security |
8 |
of these signatures. |
9 |
|
10 |
IIUC, the secret signing key is stored on a machine that is connected to |
11 |
the network (Infra, please correct me if I'm wrong). So there are other |
12 |
more likely attack vectors than a preimage attack on a 512 bit hash |
13 |
function. |
14 |
|
15 |
Also: https://xkcd.com/538/ :) |
16 |
|
17 |
Ulrich |