On Sat, Jun 27, 2015 at 7:07 PM, Johannes Bauer <dfnsonfsdu...@gmx.de> wrote: > On 27.06.2015 10:53, Chris Angelico wrote: >> On Sat, Jun 27, 2015 at 6:38 PM, Steven D'Aprano <st...@pearwood.info> wrote: >>> I'm not a security expert. I'm not even a talented amateur. *Every time* I >>> suggest that "X is secure", the security guy at work shoots me down in >>> flames. But nicely, because I pay his wages <wink> >> >> Just out of interest, is _anybody_ active in this thread an expert on >> security? > > Yes. I've done a good 10 years of work in the field doing security > (mostly applied cryptography on embedded systems with a focus on side > channels like DPA, but also security concepts and threat/risk analysis) > and spent the last 3-4 years working on my PhD in the field of IT > security. My thesis is almost(tm) finished. I would claim to be an > expert, yes.
Good, so this isn't like that episode of Yes Minister when they were trying to figure out whether to allow a chemical factory to be built. >> I certainly am not, which means that the proposal I'm >> currently putting together probably has a whole bunch of >> vulnerabilities that I haven't thought of. (Though there's no emphasis >> on encryption anywhere, just signing. I'm *hoping* that RSA public key >> verification is sufficient, but if it isn't, it would be possible for >> a malicious user to make a serious mess of stuff.) But I'm under no >> delusions. I don't say "this is secure" - all I'm saying is "this >> works in proof-of-concept". > > I must admit that I haven't seen your ideas in this thread? No, the proposal I'm putting together is unrelated. You'll see the *vast* extent of my security skills here: https://github.com/Rosuav/ThirdSquare My contribution to this thread has been fairly minor, just suggesting one attack that doesn't even work any more, not much else. ChrisA -- https://mail.python.org/mailman/listinfo/python-list