Salut, Maurice Volaski,
On Mon, 7 Jul 2008 11:53:17 -0400, Maurice Volaski wrote:
Again, I think you're confusing security with a lazy programming
practice. We're talking open source here. The perfect oracle is
already there, just not in plain English.
I'm not talking about exposing information about the source code, which
is good, but disclosing information about the key material, which is
not nearly as desirable. Please keep that in mind when you re-read my
prior mails as you don't seem to have understood it.
Who said the key needs to be exposed to the client's debug log or
even the server's? Are you trying to say that fixing this real
example of lazy programming,
https://bugzilla.mindrot.org/show_bug.cgi?id=1388, is somehow going
to expose the key?
--
Maurice Volaski, mvolaski@xxxxxxxxxxxx
Computing Support, Rose F. Kennedy Center
Albert Einstein College of Medicine of Yeshiva University
