On Sat, Oct 21, 2017 at 3:11 PM, Duncan <1i5t5.dun...@cox.net> wrote: > Hanno Böck posted on Sat, 21 Oct 2017 19:50:11 +0200 as excerpted: > >> On Sat, 21 Oct 2017 12:12:44 -0500 R0b0t1 <r03...@gmail.com> wrote: >> >>> People are discussing collision resistance, but no one here appears to >>> be trained in cryptography. >> >> For the record, I'd claim I am.
On what basis? I performed a search on your name, and found at least one person who was belligerently calling you a liar who wastes people's time. The others results seemed to have no relation to cryptography and were about technology journalism. > > ... And with a number of vuln discoveries to your credit, it's safe to > say it's not just paper certs for you, too. =:^) > Of what nature are these vulnerabilities? There is a vast gulf between discussing cryptography with a mathematical basis and finding code which improperly implements cryptography. Or, as it seems based on my searches, simply finding bugs or logical errors in programs. > (And FWIW I'd point to Robin H Johnson/robbat2 as someone I know has > authority in this area as well. There may be others. FTR I'm not one of > them, tho as any good admin I try to follow the security news especially > where it touches machines I administer, so I'm following this thread with > particular interest.) > On what basis? As above, programming and cryptography have very little in common, besides the fact computers can be programmed to perform cryptography operations. These posts are concerning because it looks like someone became stir crazy and invented a problem to solve. The changes proposed to date have remained poorly justified, and no one has addressed the concern that multiple hashes *is* actually more secure. If it was deemed necessary at one point, what justification was used? I.e. https://en.wikipedia.org/wiki/Wikipedia:Chesterton's_fence. Respectfully, R0b0t1