On Wednesday, March 20, 2019 at 12:07:49 PM UTC-7, ohir wrote:
>
> Adam Langley is a well recognized expert in the field. I trust in his 
> decisions. 

+1 
 

> Validated is exact version of boringcrypto: 24e.....d6f5 
> It will not lose its validation even if it has a bug. 
> If it will fix this bug its validation is lost. 
>
Another expert in the field that I know and trust is Donna Dodson,
https://www.nist.gov/about-us/nist-awards/donna-dodson-nist-fellow 
Donna assures that security bug fixes to validated security software
should not be viewed as breaking the validation.  That would be
perverse and NIST will back you up if some crazy auditor challenges
you.

It could be a matter of debate whether disallowing SHA1 is strictly
speaking a bug fix in the same sense as preventing a buffer overflow.
But again I'm sure you could win an argument with an auditor.
 

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to