On Thu, Dec 15, 2011 at 04:51:02PM +0100, Guido Trentalancia wrote: > Also consider that Redhat, being a supplier of systems to the US > government, might have legal obligations towards it to use NSA or at > least NIST certified cryptographic equipment instead of uncertified > open-source software such as gpg (www.gnupg.de) that I had proposed to > you as an initial affordable solution fit for purpose of many home users > provided that gpg is in turn secure and provided that the algorithms > being used are secure enough.
Why does it matter what Red Hat legal obligations are? I say it once again: SHA256 is not there to provide security. GPG might be nice, not doing it at the moment, will be done at some point in future. > But if you really never heard anything like this before, then a good > introductory article for the general public is the following one: > > http://www.bbc.co.uk/news/uk-england-gloucestershire-11475101 > > Of course other algorithms can be invented and created if those provided > at no cost by gpg do not suit your taste or if you can prove that they > are faulty or too weak. I suggest looking into practical security instead of your theoretical stuff. Yeah GPG might have some added value. Practically speaking, with the current infrastructure at GNOME, it will provide a _false_ sense of security. Please read https://lwn.net/Articles/467598/ to see how I work on security. Fixing the bigger problems, instead of minor things like GPG while leaving a big gaping door open. -- Regards, Olav _______________________________________________ gnome-infrastructure mailing list [email protected] http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
