From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-82586-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 3233B1396D9
	for <garchives@archives.gentoo.org>; Wed,  8 Nov 2017 18:58:01 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 3CCFAE0F08;
	Wed,  8 Nov 2017 18:57:52 +0000 (UTC)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id E2C98E0EEC
	for <gentoo-dev@lists.gentoo.org>; Wed,  8 Nov 2017 18:57:51 +0000 (UTC)
Received: by mail-yw0-x231.google.com with SMTP id u142so3187791ywg.4
        for <gentoo-dev@lists.gentoo.org>; Wed, 08 Nov 2017 10:57:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-transfer-encoding;
        bh=ObQ0WfTo2sgDbp8HibznGn7UAE95wdf8k+gh6ia6bTs=;
        b=Ed6ZPijXd1Cv6Il/YMTwLqN1Z/p+qIf4JvMEaJDjUScBpHD+Tx0nAQAadoPl4wf1zb
         PfeDg6kXB0AYadc/k5Th0L7DZTCkkHBUinqYqQJc3wLXciedlT5fVHYBm6FlxA+i83lX
         u8CGU+4p4dCXXLoh71dM+tm+LtpOqPZMqRRbjz2YGRSSWdRCbjGCZBmDoRhjhWa/K2+m
         BDGADnDCgwaNPZTXBWgiAyrpEjYmwiKuOxBmM9XMZhuSzNYCpeFij4CKV5ASrhcVY6bS
         QMh2gGLy7D+JjbwjbdHbyaPvIaA1aCWoFlVmXg0dV+xP3AwlasJRMtSWma/VNOsd93tB
         AMaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:content-transfer-encoding;
        bh=ObQ0WfTo2sgDbp8HibznGn7UAE95wdf8k+gh6ia6bTs=;
        b=TMEgE/oOiHgDPnSDFykB3GXSmfA1XkbqhXrLqlHw2+0Qt1li8dRLJwFiuO64sd5nlf
         nY9WlEG31Xw5+TZ74eOt1Sa1uR/0Z9Q08T15aMpvBz3m9bXsTlcWu+90fW6QvP3j9r3G
         cex/EZnuFVLPryizrl+kwMk/cLfomRxeNunJcENzmYwdH94Itri+KZ6GdhZ1FFaWjCHe
         zHhVzf/lEMYQgVOaaHowfKUFgy4IBly5DJBigfnEVU9OEgBLgJFkubt5wdvIoSaH5QeE
         r3K1kdyCFSFC6FlulrZUkIO5M+e1xEiw30fLh9eC/4by9azRoVOEMhnI3qQ169jkiuek
         JT1Q==
X-Gm-Message-State: AJaThX7g3MSxpnGQRkCFlqhQCPY/8kho3QaiTF+q+FIC591/Op4rtDXf
	mXKFjEFGztaFDJV5xB7wVYvwpIsKiiLl21dZALMPPQ==
X-Google-Smtp-Source: ABhQp+SM8lcVqNHWc320ojLGS4syRwCcfVv/OEj1McmlsdWkGpGNQVF3KMBFZ5Jsw5MBx3rJlsk8lg8gTMfcBl5Wtq4=
X-Received: by 10.129.145.68 with SMTP id i65mr1003540ywg.259.1510167470635;
 Wed, 08 Nov 2017 10:57:50 -0800 (PST)
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.129.153.84 with HTTP; Wed, 8 Nov 2017 10:57:49 -0800 (PST)
In-Reply-To: <pan$56cea$d2ce1dd4$300dd95e$46bcec21@cox.net>
References: <1508440120.19870.14.camel@gentoo.org> <CAAD4mYhkpzGKXxwZn-2arwj4NuU5U+fsWRkNw0uRRm6X_MKgfw@mail.gmail.com>
 <robbat2-20171021T162151-007393951Z@orbis-terrarum.net> <CAAD4mYj58-3pzLgNNeeodgRevcceH7Ufd=OvuRjMtcA+xbaNWw@mail.gmail.com>
 <20171021195011.55b3ce6b@pc1> <pan$56cea$d2ce1dd4$300dd95e$46bcec21@cox.net>
From: R0b0t1 <r030t1@gmail.com>
Date: Wed, 8 Nov 2017 12:57:49 -0600
Message-ID: <CAAD4mYi0Rz5YAUqSQiYaiXz_ejp6OuOX=gozmFAPi=PDU=OBDw@mail.gmail.com>
Subject: Re: [gentoo-dev] Re: Manifest2 hashes, take n+1-th
To: gentoo-dev@lists.gentoo.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: fb59a3c1-7f60-4bd2-af53-6c3d915ed1f2
X-Archives-Hash: 7f2b9a05baf062acc8bf7b539949f5b9

On Sat, Oct 21, 2017 at 3:11 PM, Duncan <1i5t5.duncan@cox.net> wrote:
> Hanno B=C3=B6ck posted on Sat, 21 Oct 2017 19:50:11 +0200 as excerpted:
>
>> On Sat, 21 Oct 2017 12:12:44 -0500 R0b0t1 <r030t1@gmail.com> wrote:
>>
>>> People are discussing collision resistance, but no one here appears to
>>> be trained in cryptography.
>>
>> For the record, I'd claim I am.

On what basis? I performed a search on your name, and found at least
one person who was belligerently calling you a liar who wastes
people's time. The others results seemed to have no relation to
cryptography and were about technology journalism.

>
> ... And with a number of vuln discoveries to your credit, it's safe to
> say it's not just paper certs for you, too. =3D:^)
>

Of what nature are these vulnerabilities? There is a vast gulf between
discussing cryptography with a mathematical basis and finding code
which improperly implements cryptography. Or, as it seems based on my
searches, simply finding bugs or logical errors in programs.

> (And FWIW I'd point to Robin H Johnson/robbat2 as someone I know has
> authority in this area as well.  There may be others.  FTR I'm not one of
> them, tho as any good admin I try to follow the security news especially
> where it touches machines I administer, so I'm following this thread with
> particular interest.)
>

On what basis? As above, programming and cryptography have very little
in common, besides the fact computers can be programmed to perform
cryptography operations.


These posts are concerning because it looks like someone became stir
crazy and invented a problem to solve. The changes proposed to date
have remained poorly justified, and no one has addressed the concern
that multiple hashes *is* actually more secure.

If it was deemed necessary at one point, what justification was used?
I.e. https://en.wikipedia.org/wiki/Wikipedia:Chesterton's_fence.

Respectfully,
     R0b0t1