Thanks Ingo for your (as always) good attention to detail and detailed feedback I really appreciate it ...
Point taken Ingo re the patch... :) and tech@ :) and discussion duly moved to misc@ it was more of a heads up Ill work on my programming skills :) cheers, Tom Smyth On Wed, 13 Mar 2019 at 22:32, Ingo Schwarze <schwa...@usta.de> wrote: > > Hi Tom, > > Tom Smyth wrote on Wed, Mar 13, 2019 at 08:32:20PM +0000: > > > Just saw the following article and i was wondering if libressl > > Might be affected by the bug also > > Top bit being set to 0 always making an effective 63 bits rather than 64 > > bits > > If i understand the article you quote correctly, is is about a minor > bug in some CA softwares (i.e. softwares used to operate certificate > authorities). As far as i am aware, LibreSSL does *not* include any > software that can be used to operate a certificate authority. > > The "openssl ca" subcommand of openssl(1) definitely does not count. > The openssl(1) utility is a *testing tool* and must not be used for > any kind of production purposes. > > So i don't see how LibreSSL could possibly be affected. > > If you still think it might be, please consider stating more precisely > which part of LibreSSL (i.e. which library function) you fear might > be broken in precisely which way. > > > https://www.theregister.co.uk/2019/03/13/tls_cert_revoke_ejbca_config/ > > My impression is that the most important sentence from that article is > the following: > > While the serial number security issue is largely theoretical - > 63 bits leaves plenty of space to fend off collision attacks, > even if it's not compliant with the spec [...] > > That means this is unlikely to be a security issue in the first > place but looks more like a minor bug where some software is > gratutiosly violating a specification. Sure, specifications should > not be set aside without a good reason, and certainly not accidentally, > and bugs ought to be fixed, but i fail to see any indication that > this bug might be more important than other run-of-the-mill bugs. > > Please take this with a grain of salt: while i did occasionally > work on LibreSSL documentation in the past, my knowledge and > experience in matters of cryptography and PKI is very limited. > But i thought quick feedback might help to discourage people from > panicking. > > Also, if you want to continue this discussion, i suggest moving > to misc@. You didn't include a patch! ;-) > > Yours, > Ingo -- Kindest regards, Tom Smyth Mobile: +353 87 6193172 The information contained in this E-mail is intended only for the confidential use of the named recipient. If the reader of this message is not the intended recipient or the person responsible for delivering it to the recipient, you are hereby notified that you have received this communication in error and that any review, dissemination or copying of this communication is strictly prohibited. If you have received this in error, please notify the sender immediately by telephone at the number above and erase the message You are requested to carry out your own virus check before opening any attachment.
