Added a comment

author: http://joeyh.name/ <joey@web> 2013-03-04 00:04:53 +0000
committer: admin <admin@branchable.com> 2013-03-04 00:04:53 +0000
commit: 31042959db2472aeadc9f70120b325154f15292c (patch)
tree: e6b8851c444a19e042f6c10682607b8baee63cd9
parent: 79dea2f2ec93512c8397cae74bee5fba15d05294 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/bugs/encryption_key_is_surprising/comment_1_5b172830ac31d51a1687bc8b1db489f9._comment b/doc/bugs/encryption_key_is_surprising/comment_1_5b172830ac31d51a1687bc8b1db489f9._comment
new file mode 100644
index 000000000..04854b3a4
--- /dev/null
+++ b/doc/bugs/encryption_key_is_surprising/comment_1_5b172830ac31d51a1687bc8b1db489f9._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="http://joeyh.name/"
+ nickname="joey"
+ subject="comment 1"
+ date="2013-03-04T00:04:53Z"
+ content="""
+My first concern is if this means it's insecure. Luckily it seems not; HMAC SHA1 needs only 64 bytes of entropy, which are more than provided in the 256 bytes of base64 provided. As long as both gpg and the HMAC code use the full provided key (and not just the first 64 bytes of it, say), we're ok. And as far as I can tell, both do fully consume and use the key.
+
+So, I don't feel the need to change the code, aside from some minor improvements to variable names.
+"""]]
author	http://joeyh.name/ <joey@web>	2013-03-04 00:04:53 +0000
committer	admin <admin@branchable.com>	2013-03-04 00:04:53 +0000
commit	31042959db2472aeadc9f70120b325154f15292c (patch)
tree	e6b8851c444a19e042f6c10682607b8baee63cd9
parent	79dea2f2ec93512c8397cae74bee5fba15d05294 (diff)