Re: Closed list

[klondike <klondike () xiscosoft es>]

El 01/04/11 20:03, Josh Bressers escribió:
> Initial members will have had to be a vendor-sec member (no exploders this
> time around). You must reply to this thread, in public (on oss-security).
> We want this to be very public, we have nothing to hide. You must have a
> public gpg key ID included in your reply. The new list will gpg encrypt all
> mail (it does accept plaintext messages though)
Will the list provide protection against rubber-hose cryptanalisys?, if
so, how? GPG as most other cryptographic software is vulnerable to it.
What about black-bag cryptanalysis?

Sometime ago I was taught that the best way to be sure a secret was not
known was not saying it, so if you, researchers, want to make sure your
PoC aren't abused do things properly, warn the vendors to upgrade the
product because of your security finding and avoid providing PoCs until
enough time has passed for you to be sure everybody has had a chance to
upgrade.

Any other solution can be easily flawed since you can't make sure I
won't buy/kidnap/kidnap relatives of/steal data from etc. on anybody on
such a private list.

Attachment: signature.asc
Description: OpenPGP digital signature