-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 01/03/2014 03:36 AM, Adrian Sevcenco wrote:
IMHO underlying problem is not
that a cipher/process/code was compromised but that the supervising _trustworthy_ entity is in fact not trustworthy at all!
It will be interesting to see how this plays out. I have enough experience with government to know that there are indeed people who really care about what they do and I'm inclined to accept that some of them at NIST are indeed really, really upset about this.
But if I understood and am remembering correctly, NSA's involvement was mandated by statute.
Back to a more technical point: If indeed the compromised algorithm is *not* enabled in openssl (as a build option) by default, how would apache be able to use it, even in rare instances, unless somebody actually selected that option?
- -- David Benfell see https://parts-unknown.org/node/2 if you don't understand the attachment