Subject: Re: NetBSD Security Advisory 2002-009: Multiple vulnerabilities in OpenSSL code
To: Ignatios Souvatzis <firstname.lastname@example.org>
From: David Maxwell <email@example.com>
Date: 08/07/2002 11:06:46
On Tue, Aug 06, 2002 at 09:53:47PM +0200, Ignatios Souvatzis wrote:
> I can see why SO announcements might NOT use this -
> SO want to have the same message they send out available on the ftp server,
> while creating PGP/MIME involves creating a detached signature.
> OTOH, storing a seperate signature per announcement might be ok.
I would rather not have the MUA doing the signing, for a couple reasons:
Consistency - If different S-Os use different MUAs, or an S-O changes
MUA over time, the SAs shouldn't be text one time, MIME the next, etc.
Key location - I do not keep the S-O PGP key on the machine that I send
mail from. I sign the advisories and copy them to the machine from which
they are mailed.
David Maxwell, firstname.lastname@example.orgemail@example.com -->
An organization gets what it rewards.
- Perry Metzger