David Shaw dshaw at jabberwocky.com
Fri Sep 29 15:01:41 CEST 2006

On Fri, Sep 29, 2006 at 07:50:21AM -0500, Robert J. Hansen wrote:
> David Shaw wrote:
> > It's important to not focus unduly on one thing.  This gives hash
> > firewalls too much import.  Today it's hash firewalls.  Yesterday it
> > was hash length.  Before that it was key size, etc, etc.  Make sure
> > you're not armoring your front door to an absurd degree and leaving a
> > window open. :)
> While true, if this was all there was to it most of us would still be
> using PGP 2.6.  :)

It's interesting you mention PGP 2.6.  The main "problem", such as it
is, with 2.6 is that there wasn't a problem with it.  It's a familiar
(though somewhat tongue in cheek) refrain in the OpenPGP WG and among
OpenPGP developers that it's too bad PGP 2.6 was never broken so
people would just stop using it and upgrade already.

> The idea of low-hanging fruit comes to mind here.  Obsessing over the
> front door is a bad idea, but if there's a deadbolt you can throw
> without any difficulty and you're going to walk by the door anyway on
> the way to the stairs, why not?

My concern is that the front door is already 1000 pounds of reinforced
carbon steel and has protruding spikes and built-in lasers or some
such.  No harm in throwing the deadbolt, but spending a lot of time
worrying about the deadbolt takes time away from worrying that the
window next to the front door is still open...


More information about the Gnupg-devel mailing list