-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 01/03/2014 03:36 AM, Adrian Sevcenco wrote: IMHO underlying problem is not > that a cipher/process/code was compromised but that the > supervising _trustworthy_ entity is in fact not trustworthy at > all! It will be interesting to see how this plays out. I have enough experience with government to know that there are indeed people who really care about what they do and I'm inclined to accept that some of them at NIST are indeed really, really upset about this. But if I understood and am remembering correctly, NSA's involvement was mandated by statute. Back to a more technical point: If indeed the compromised algorithm is *not* enabled in openssl (as a build option) by default, how would apache be able to use it, even in rare instances, unless somebody actually selected that option? - -- David Benfell see https://parts-unknown.org/node/2 if you don't understand the attachment -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.0-ecc (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJSxzWNAAoJEKrN0Ha7pkCOTxYP/2KXKJ3QYnC51baCNWqvZxG9 nvWmi3WR0Stm81suJDC46IV5yJMgqGPV1JGaXVAh9YliiRBqCDEEhKk87NYpbMfT nGUaMARp1EOyW1r2WH7JbwAbX37jNnJg65bvxdS7UqSuwxCjjg29Tnah1ybSCV9k jEPI8Ssccc9uVglUPzj1LJsIeSq2JysZicZHa3jgxhFC2erfqPmDxVVYYheCD6Mb kZtVxJ+E5o/y+X0B1kgV2ZXYB0D7VlnOCKl6XxzY7t8qeDh4JMx4bFxXKEBAsUGt pOX3siD/ferpbt3xkQyz9L8IutZWkTO3wwuJ9faM+fPYTPlqzTtA/xCEbDOz6rgZ ZUcr2FNi+KLn0Yt4PxYFTseLHV1QMtztsozGweD0+90CDAkgeTphd15VLf+xttlw JJ4jOP4kyUxq/lAJl16xzoyM9sttZnf1brBOaSqsc2nccX8k6dlbyHsRY/AfLtXb /7499cGR1XdxVRt7LtvUG4XLLMh3CIGT1kv4txzldXJJhFvETlPpfbtAjumwh6pd +qQWtewVxH0QVV5LX/lYV7RgquLMhM++nkMcMvB+wvyEUDAalRdeNYZ/zrWNw9cX OT+OYZGRu5LDRDDjeKzDmyDhAGoLPDIw4qpxoH/6ypPzkm4glOS22gI/f38TtoJD ojKtZnrYUVe/Po5QyH3c =1h31 -----END PGP SIGNATURE-----