1995-09-27 - Re: Security Update news release

Header Data

From: Adam Shostack <adam@homeport.org>
To: patrick@Verity.COM (Patrick Horgan)
Message Hash: 1fe481b1bd7fece682f35f5c561bf3de4373a9f4d68d3d3a98b7c4b7bc4d9843
Message ID: <199509271402.KAA23709@homeport.org>
Reply To: <9509261733.AA22080@cantina.verity.com>
UTC Datetime: 1995-09-27 14:00:11 UTC
Raw Date: Wed, 27 Sep 95 07:00:11 PDT

Raw message

From: Adam Shostack <adam@homeport.org>
Date: Wed, 27 Sep 95 07:00:11 PDT
To: patrick@Verity.COM (Patrick Horgan)
Subject: Re: Security Update news release
In-Reply-To: <9509261733.AA22080@cantina.verity.com>
Message-ID: <199509271402.KAA23709@homeport.org>
MIME-Version: 1.0
Content-Type: text


| > >  Here is the press release we put out this morning regarding the fix
| > >for RNG seed and stack overflow problems.
| > 
| > Do the new versions use PGP's randseed.bin? If Netscape even only looks at
| > data used to keep PGP secure,  Netscape will be banned from my computer
| > and every computer I am responsible for. -- For good.
| 
| That doesn't quite make sense.  Netscape reading randseed.bin can have no
| effect on the security of PGP.

	I think you meant to say:

	"If md5 is a solid hash fucntion, and if Netscape doesn't dump
core somewhere publically readable, and if Netscape doesn't
accidentally have a stack overflow that causes your randseed,bin to
become confused with last-url-visited, then it is very unlikely that
Netscape reading your randseed.bin will have an effect on the security
of your PGP keys or messages."

	The history of people doing the impossible is too long to not
spell out your security assumptions.

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume





Thread