- From: cynthia <notifications@github.com>
- Date: Tue, 26 Jan 2021 15:57:48 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 26 January 2021 23:58:00 UTC
Friendly pong! @plinss and I discussed this during our F2F. We agree about the problem (timing attacks), and as a mitigation to the problem at stake, it seems like an acceptable immediate solution. It's worth noting that while this can prevent timing attacks, it probably won't help with attacks like Spectre. As for a longer-term solution for this problem, it feels like adding one more key every time we have this kind of problem is trading off security at the expense of the user. Bandwidth, energy, and storage don't come for free - and n-key feels like a short-sighted solution that simplifies the implementation, but eventually, the user is the one who suffers. We briefly discussed ideas like minimum constant load times, like what crypto does as a different way to approach this - have different options ever been considered? (Asking because we did not see any "alternatives" in the explainer.) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/596#issuecomment-767908707
Received on Tuesday, 26 January 2021 23:58:00 UTC