This is not a strong take, the "fix" doesn't completely fixes the vulnerability. Passwords or private keys are not the same as a user-provided crypto-seed without checksums. This is supposed to be critical PKI software.
It's about corruption and bit rot, not about seed length.
My finding are unrelated and started from when I wanted to benchmark his software. I wanted to know which format it expected for the seed, turns out spaces will do.
It's not about a "corrupted password", it's about that the software generates private keys on the fly based on an unverified seed input. Anyone understanding crypto a tiny bit gets that. This is first-week-of-crypto-class material
Btw, this is a project of a ex-google employee, used in chromium, that google publicly endorses; that's definitely akin to a "google project". Is it damage control yet?
Pretty interesting that you are directly involved in this project yourself but feel the need to defend the same (wrong) narrative here.
You agreeing with the claim that this is not a vulnerability, and somehow being involved in developing CT software is deeply concerning.
You messed this up in at least 5 different ways. Trying to frame this as an official Google project makes everything else you say worthless. Stay with the facts, or GTFO.
Trying to help making things better is great and the spirit of open source. Trying to create drama is useless and unhelpful.
The technical vulnerabilities I reported are factual regardless of organizational relationships. The concerning issue here is that my private security disclosure was forwarded to a public,
Google moderated venue, without consent. Then, I was banned from the same venue to prevent me from being able to defend myself. That’s the actual breach of good faith practice and was actually intended to create drama.
You apply obviously double standards to the same situation.
It's about corruption and bit rot, not about seed length.
My finding are unrelated and started from when I wanted to benchmark his software. I wanted to know which format it expected for the seed, turns out spaces will do.
It's not about a "corrupted password", it's about that the software generates private keys on the fly based on an unverified seed input. Anyone understanding crypto a tiny bit gets that. This is first-week-of-crypto-class material
Btw, this is a project of a ex-google employee, used in chromium, that google publicly endorses; that's definitely akin to a "google project". Is it damage control yet?
Pretty interesting that you are directly involved in this project yourself but feel the need to defend the same (wrong) narrative here.
You agreeing with the claim that this is not a vulnerability, and somehow being involved in developing CT software is deeply concerning.