Rich Salz wrote:
I still see it as a problem, since the data then
potentially sticks around for a longer time, and is therefore
retrievable for anyone who cracked root if that would happen.
Anyone who can crack root will just install a trojan openssl library,
anyway. Seems little point in holding up a release for this.
/r$
Agreed. It's not even clear you can prevent this
sort of optimisation.
Some good discussions at
http://online.securityfocus.com/archive/1/300365/2002-11-12/2002-11-18/1
http://online.securityfocus.com/archive/82/297827/2002-10-26/2002-11-01/0
Matt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
