On Mon, Apr 16, 2018 at 06:06:33PM +0100, Matt Caswell wrote:
>
> As I say in the PR (marked as WIP) I am seeking feedback as to whether
> this is something we should pursue now (i.e. for 1.1.1) or later (post
> 1.1.1) or not at all.
A related question I have is, do we consider this security issu
On Mon, Apr 16, 2018 at 05:57:33PM +, David Benjamin wrote:
> This also aligns with the guidelines here:
> https://github.com/HACS-workshop/spectre-mitigations/blob/master/crypto_guidelines.md#2-avoid-indirect-branches-in-constant-time-code
I think you actually meant #1 instead of #2
But when
I was actually going to file a ticket somewhere and never got around to
it...
In BoringSSL, we've instead gone the route of removing BN_FLG_CONSTTIME
altogether. Rather call sites which need a particular function call that
function directly. I think this is much less error-prone (as the various
pr
I think this is a great idea, but that it is way too late for this release. We
really should be concentrating on testing and fixes, and open PR's and other
release criteria. Ideally the release goes out in a month (IETF RFC editor
willing)
___
opens