summaryrefslogtreecommitdiff
path: root/8f/c6212d91034d5423f618860c3c2ad98925a6ed
blob: 2b918055f40a5b34c5b7f18bd835e9681f990bd6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
Return-Path: <pete@petertodd.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 72FF9360
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sat, 25 Feb 2017 21:40:25 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from outmail149081.authsmtp.net (outmail149081.authsmtp.net
	[62.13.149.81])
	by smtp1.linuxfoundation.org (Postfix) with ESMTP id A415617F
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sat, 25 Feb 2017 21:40:24 +0000 (UTC)
Received: from mail-c247.authsmtp.com (mail-c247.authsmtp.com [62.13.128.247])
	by punt22.authsmtp.com (8.14.2/8.14.2/) with ESMTP id v1PLeLVo052720;
	Sat, 25 Feb 2017 21:40:21 GMT
Received: from petertodd.org (ec2-52-5-185-120.compute-1.amazonaws.com
	[52.5.185.120]) (authenticated bits=0)
	by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id v1PLeJen084754
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sat, 25 Feb 2017 21:40:20 GMT
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by petertodd.org (Postfix) with ESMTPSA id F421F40092;
	Sat, 25 Feb 2017 21:40:18 +0000 (UTC)
Received: by localhost (Postfix, from userid 1000)
	id 4FFD9204AB; Sat, 25 Feb 2017 16:40:18 -0500 (EST)
Date: Sat, 25 Feb 2017 16:40:18 -0500
From: Peter Todd <pete@petertodd.org>
To: Steve Davis <steven.charles.davis@gmail.com>
Message-ID: <20170225214018.GA16524@savin.petertodd.org>
References: <8F096BE1-D305-43D4-AF10-2CC48837B14F@gmail.com>
	<20170225010122.GA10233@savin.petertodd.org>
	<208F93FE-B7C8-46BE-8E00-52DBD0F43415@gmail.com>
	<CAN6UTayzQRowtWhLKr8LyFuXjw3m+GjQGtHfkDj-Xu41Hym32w@mail.gmail.com>
	<CAEM=y+WkgSkc07ZsU6APAkcu37zVZ7dwSc=jAg1nho31S5ZyxQ@mail.gmail.com>
	<20170225191201.GA15472@savin.petertodd.org>
	<CAMZUoK=sq_sRoXuySca-VAGwA3AzeoZ5iNFSnKULbj+NtPjHFA@mail.gmail.com>
	<20170225210406.GA16196@savin.petertodd.org>
	<CAGLBAhdCb+QLWRm4FWkPvaM2sU24HuafdgNiS=wgnPTGzrW05w@mail.gmail.com>
	<4FE38F6A-0560-4989-9C53-7F8C94EA4C76@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="TB36FDmn/VVEgNH/"
Content-Disposition: inline
In-Reply-To: <4FE38F6A-0560-4989-9C53-7F8C94EA4C76@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Server-Quench: 01b9b5c2-fba3-11e6-bcdf-0015176ca198
X-AuthReport-Spam: If SPAM / abuse - report it at:
	http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR
	bgdMdAcUHlAWAgsB AmEbWVVeVF17W2M7 bghPaBtcak9QXgdq
	T0pMXVMcUgQIfUl7 U0AeWh11cgEIeX14 Y04sXnEJVRZ/JkRg
	FBwFFnAHZDJmdTJM BBZFdwNVdQJNeEwU a1l3GhFYa3VsNCMk
	FAgyOXU9MCtqYB91 a1hFJlUWRUcQHzk6 XFgHFDYiVWIEW20t
	MhggJ0QVFkIcelk1 eVI9RVsbOARaABw8 V11NATVVYkEIXTYq
	ABgeFUgZDHVfXDxA SgclOhgABzVTXDZR BU1IUQpn
X-Authentic-SMTP: 61633532353630.1038:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 52.5.185.120/25
X-AuthVirus-Status: No virus detected - but ensure you scan with your own
	anti-virus system.
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] SHA1 collisions make Git vulnerable to attakcs by
 third-parties, not just repo maintainers
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Feb 2017 21:40:25 -0000


--TB36FDmn/VVEgNH/
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Feb 25, 2017 at 03:34:33PM -0600, Steve Davis wrote:
> Yea, well. I don=E2=80=99t think it is ethical to post instructions witho=
ut an associated remediation (BIP) if you don=E2=80=99t see the potential a=
ttack.

I can't agree with you at all there: we're still at the point where the
computational costs of such attacks limit their real-world impact, which is
exactly when you want the *maximum* exposure to what they are and what the
risks are, so that people develop mitigations.

Keeping details secret tends to keep the attacks out of public view, which
might be a good trade-off in a situation where the attacks are immediately
practical and the need to deploy a fix is well understood. But we're in the
exact opposite situation.

> I was rather hoping that we could have a fuller discussion of what the be=
st practical response would be to such an issue?

Deploying segwit's 256-bit digests is a response that's already fully coded=
 and
ready to deploy, with the one exception of a new address format. That addre=
ss
format is being actively worked on, and could be deployed relatively quickl=
y if
needed.

--=20
https://petertodd.org 'peter'[:-1]@petertodd.org

--TB36FDmn/VVEgNH/
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJYsfm/AAoJECSBQD2l8JH7WCQIAIepw6T0uvJtk3nCEHJQKznj
uIGHOsG1owVTiet3UWACCSAoi+XLj1pr08nZqtXVz25e5dUR4QtaeyUvHqO7IGuT
4S+g/IuT4SlvFqiCLooPD2juZyhFhnTowxkg6/VcQEUxuCfg0KnA5sVwJlYayQWR
JLZ8z6AYwBany+bWseCdLG+5ZMh/7RvuY3A6tqi/pECWCZostHq5RdmLs0Tsg+6+
VK+0+h/znpp36mBilgkXkGBVQSQQj9J6QE12lwNqhWIWDmZeqr161GjUzfooLUJP
TQM07QNxhlr0pq9EuopbaUG+AfNlABydDpkuOM7vb7bmQigZxFuPCJBvLfw30Oc=
=6idP
-----END PGP SIGNATURE-----

--TB36FDmn/VVEgNH/--