oss-sec mailing list archives

Re: Travis CI MITM RCE

From: zugtprgfwprz () spornkuller de
Date: Fri, 31 Aug 2018 22:54:47 +0200

On 31.08.2018 17:52, Daniel Kahn Gillmor wrote:

In nearly every case where we're talking about automated signature
checking, the cost of shipping the public key instead of (or in addition
to) the fingerprint is negligible.  and shipping just the fingerprint
introduces robustness and reliability problems for the signature
verification.


Ah, fair enough. Thanks for clarifying this, you're making good points.
The robustness issue is indeed something I completely disregarded.

Luckily, we've already arrived at a point where keys can be as short as
hash values. Ed25519 keys are 32 bytes, i.e., the same length as a
SHA256 hash. So there's that :-)

All the best,
Cheers,
Joe

-- 
"A PC without Windows is like a chocolate cake without mustard."

Current thread:

Travis CI MITM RCE Jakub Wilk (Aug 25)
- Re: Travis CI MITM RCE Phil Pennock (Aug 26)
  - Re: Travis CI MITM RCE Jeremy Stanley (Aug 26)
  - Re: Travis CI MITM RCE Daniel Kahn Gillmor (Aug 28)
    - Re: Travis CI MITM RCE zugtprgfwprz (Aug 30)
    - Re: Travis CI MITM RCE vines (Aug 31)
    - Re: Travis CI MITM RCE zugtprgfwprz (Sep 01)
    - Re: Travis CI MITM RCE Daniel Kahn Gillmor (Aug 31)
    - Re: Travis CI MITM RCE zugtprgfwprz (Sep 01)