On Sat, Jan 22, 2011 at 01:26:07AM +0100, Tollef Fog Heen wrote: > I don't see why you think missing salting should be grave. Sure, it > should be fixed, but it's hardly the end of the world.
Mainly because if you personalize few keys in a row using this tool and if you do not pay attention to use different "AES passphrases" relying on the random salting you will end up with all your keys having the same AES key. I think this is why it should be "grave" because if you use Yubikeys configured this way you will "introduces a security hole allowing access to the accounts of users who use the package" [http://www.debian.org/Bugs/Developer.en.html#severities] I agree that you need a not-very-bright-administrator but it is still a bug. Antoine -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
