1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:pycrypto%40lists.dlitz.net?Subject=%5Bpycrypto%5D%20how%20to%20handle%20known%20security%20holes%20Re%3A%20Comments%0A%09on%09Elgamal%2C%20and%20a%20broader%20question%3A%20Whither%20pycrypto%3F&In-Reply-To=AANLkTinbrh2ed_atX8h6iFwGBUOhzSTkYeBak_KbdERj%40mail.gmail.com">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000370.html">
<LINK REL="Next" HREF="000373.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?</H1>
<B>Dwayne C. Litzenberger</B>
<A HREF="mailto:pycrypto%40lists.dlitz.net?Subject=%5Bpycrypto%5D%20how%20to%20handle%20known%20security%20holes%20Re%3A%20Comments%0A%09on%09Elgamal%2C%20and%20a%20broader%20question%3A%20Whither%20pycrypto%3F&In-Reply-To=AANLkTinbrh2ed_atX8h6iFwGBUOhzSTkYeBak_KbdERj%40mail.gmail.com"
TITLE="[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?">dlitz at dlitz.net
</A><BR>
<I>Mon Jan 3 10:54:22 CST 2011</I>
<P><UL>
<LI>Previous message: <A HREF="000370.html">[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?
</A></li>
<LI>Next message: <A HREF="000373.html">[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#371">[ date ]</a>
<a href="thread.html#371">[ thread ]</a>
<a href="subject.html#371">[ subject ]</a>
<a href="author.html#371">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>+1
Could someone volunteer to do a quick survey of publicly available code that uses PyCrypto to see who (if anyone) is actually using Crypto.PublicKey.ElGamal?
"Paul Hoffman" <<A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">paul.hoffman at gmail.com</A>> wrote:
><i>On Mon, Jan 3, 2011 at 7:15 AM, Zooko O'Whielacronx <<A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">zooko at zooko.com</A>>
</I>><i>wrote:
</I>>><i> Folks:
</I>>><i>
</I>>><i> We need to decide what to do when we find flaws in PyCrypto which
</I>>><i> would expose a user who relies on PyCrypto to harm.
</I>>><i>
</I>>><i> It wouldn't hurt to send an announcement email in some consistent
</I>>><i> format saying something like "security advisory" in the subject line,
</I>>><i> and to update the download page or a NEWS page or whatever to warn
</I>>><i> about the insecure Elgamal implementation.
</I>>><i>
</I>>><i> Perhaps also delete, comment-out, or disable the Elgamal
</I>>><i> implementation and ship a new release of PyCrypto.
</I>>><i>
</I>>><i> It really makes me uncomfortable to see the PyCrypto project ship
</I>>><i> software to users which claims on the label that they can rely on it
</I>>><i> when we know that if they do, they may be exposed to harm.
</I>><i>
</I>><i>+1 to commenting out or disabling things which anyone has serious
</I>><i>security concerns over.
</I>><i>_______________________________________________
</I>><i>pycrypto mailing list
</I>><i><A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">pycrypto at lists.dlitz.net</A>
</I>><i><A HREF="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto</A>
</I>
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000370.html">[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?
</A></li>
<LI>Next message: <A HREF="000373.html">[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#371">[ date ]</a>
<a href="thread.html#371">[ thread ]</a>
<a href="subject.html#371">[ subject ]</a>
<a href="author.html#371">[ author ]</a>
</LI>
</UL>
<hr>
<a href="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">More information about the pycrypto
mailing list</a><br>
</body></html>
|