Page MenuHome GnuPG
Create Task
Maniphest T5734

web,libgcrypt: Publish our stance what kind of attacks are **not** under our scope
Closed, ResolvedPublic
Actions

Description

While libgcrypt is written for general purpose computers in mind, it comes more hardware features available, which are considered not safe.

When users run the code of libgcrypt with those hardware, it's up to users to protect against attacks.

It is good for libgcrypt to publish something. How about the following as an initial start?

==========================
** Threat Model of libgcrypt

For libgcrypt, as it's a library, it is intended to be used widely.
Thus, users can run the code in any environments as they wish.
However, there are hardware which may allow access to fine-grained
side channel.  Those hardware related threats are out of the scope of
libgcrypt threat model.  It's up to users not to offer any access to
those side channels, if any.
==========================

We won't deny an improvement against such an attack, but we consider that as an improvement of implementation, and not handle as software vulnerability.

Revisions and Commits

rD Documentation
rDe2b04c5b8a7d security: Address our stance for libgcrypt Threat Model.

Event Timeline

gniibe renamed this task from web,libgcrypt: Publish our stance what kind of attacks are under our scope to web,libgcrypt: Publish our stance what kind of attacks are **not** under our scope.Dec 14 2021, 7:41 AM
gniibe created this task.
gniibe updated the task description. (Show Details)Dec 14 2021, 7:47 AM
gniibe updated the task description. (Show Details)Dec 14 2021, 7:49 AM
gniibe added a commit: rDe2b04c5b8a7d: security: Address our stance for libgcrypt Threat Model..Dec 21 2021, 1:18 AM
werner closed this task as Resolved.Jan 9 2022, 6:55 PM