key generation: paranoia mode - explicit random input

Robert J. Hansen rjh at sixdemonbag.org
Fri Feb 28 22:09:21 CET 2014


> But what does that mean in practice? Does that mean we don't aim for 
> improvements any more, not even those which are easy to implement?

It means that when people ask questions like, "But how do we know the
GnuPG in distro XY has not been compromised?", we give them clear,
matter-of-fact answers: you don't, but if you're serious about this
question you clearly need to use a different distro because the distro
has literally millions of ways to screw you over surreptitiously.

Your proposal tries to answer that question with, "well, use this
technique."  I've read your proposal and it doesn't seem like it solves
anything -- which I regret: I really wish it did.

Introducing stronger hash algorithms is easy to justify.  Introducing
new technologies that don't mitigate the problems they exist to solve...
not so much.



More information about the Gnupg-users mailing list