Page MenuHome GnuPG

web,libgcrypt: Publish our stance what kind of attacks are **not** under our scope
Closed, ResolvedPublic

Description

While libgcrypt is written for general purpose computers in mind, it comes more hardware features available, which are considered not safe.

When users run the code of libgcrypt with those hardware, it's up to users to protect against attacks.

It is good for libgcrypt to publish something. How about the following as an initial start?

==========================
** Threat Model of libgcrypt

For libgcrypt, as it's a library, it is intended to be used widely.
Thus, users can run the code in any environments as they wish.
However, there are hardware which may allow access to fine-grained
side channel.  Those hardware related threats are out of the scope of
libgcrypt threat model.  It's up to users not to offer any access to
those side channels, if any.
==========================

We won't deny an improvement against such an attack, but we consider that as an improvement of implementation, and not handle as software vulnerability.

Related Objects

Event Timeline

gniibe renamed this task from web,libgcrypt: Publish our stance what kind of attacks are under our scope to web,libgcrypt: Publish our stance what kind of attacks are **not** under our scope.Dec 14 2021, 7:41 AM
gniibe created this task.