Change Details

While libgcrypt is written for general purpose computers in mind, it comes more hardware features available, which are considered not safe. When users run the code of libgcrypt with those hardware, it's up to users to protect against attacks. It is good for libgcrypt to publish something. How about the following as an initial start? ``` ========================== ** Threat Model of libgcrypt For libgcrypt, as it's a library, it is intended to be used widely. Thus, users can run the code in any environments as they wish. However, there are hardware which may allow access to fine-grained side channel. Those hardware related threats are out of the scope of libgcrypt threat model. It's up to users not to offer any access to those side channels, if any. ========================== We won't deny an improvement against such an attack, but we consider that as an improvement of implementation, and not handle as software vulnerability. ```

While libgcrypt is written for general purpose computers in mind, it comes more hardware features available, which are considered not safe. When users run the code of libgcrypt with those hardware, it's up to users to protect against attacks. It is good for libgcrypt to publish something. How about the following as an initial start? ``` ========================== ** Threat Model of libgcrypt For libgcrypt, as it's a library, it is intended to be used widely. Thus, users can run the code in any environments as they wish. However, there are hardware which may allow access to fine-grained side channel. Those hardware related threats are out of the scope of libgcrypt threat model. It's up to users not to offer any access to those side channels, if any. ========================== ``` We won't deny an improvement against such an attack, but we consider that as an improvement of implementation, and not handle as software vulnerability.

While libgcrypt is written for general purpose computers in mind, it comes more hardware features available, which are considered not safe. When users run the code of libgcrypt with those hardware, it's up to users to protect against attacks. It is good for libgcrypt to publish something. How about the following as an initial start? ``` ========================== ** Threat Model of libgcrypt For libgcrypt, as it's a library, it is intended to be used widely. Thus, users can run the code in any environments as they wish. However, there are hardware which may allow access to fine-grained side channel. Those hardware related threats are out of the scope of libgcrypt threat model. It's up to users not to offer any access to those side channels, if any. ========================== ``` We won't deny an improvement against such an attack, but we consider that as an improvement of implementation, and not handle as software vulnerability. ```