https://bugzilla.novell.com/show_bug.cgi?id=393186
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=393186#c4
--- Comment #4 from Marcus Meissner
I havent been following this debacle too closely as i dont have much to do with debian, however, wouldnt such a system be vulnerable to false positives if you are just going to hash partial fingerprints rather than whole fingerprints?
Such a system would have a higher likelihood of false positives, yes. However, it would not exactly be "vulnerable" to them - or at least, the worst-case impact (depending on server settings) is a DoS for a given user's ability to login. With 48-bit partial fingerprints, there may be like one such false positive in the entire world, or none. If we go down to 40 bits, it's less than one in a million of different keys. (I am assuming a blacklist size of around 200,000 partial fingerprints.) In fact, the Debian/Ubuntu patch already uses partial fingerprints based on my earlier suggestion, but I was more conservative at the time, so I suggested 80 bits. Willy Tarreau has since convinced me that even as low as 40 bits is reasonable. Oh, and we are not "hashing" fingerprints, we're merely matching them. Alexander -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.