[Freedombox-discuss] secure UUIDs

Jonas Smedegaard dr at jones.dk
Sat Jul 20 18:38:51 UTC 2013

Hi fellow FreedomBox developers,

I just stumbled upon the following potentially interesting for someone 
here to investigate further:

Perl module [Data::UUID::MT] includes in its documentation a comparison 
between Perl-based UUID generators, including weak uses of random data 
and details like "For libuuid based modules, Version 1 UUIDs will 
include the actual MAC address, if available".

[Data::UUID::MT]: https://metacpan.org/module/Data::UUID::MT

Perhaps an interesting task to investigate...:

  * Is that documentation accurate and up-to-date?
  * How do non-Perl UUID generators compare (e.g. libuuid bindings)?

I do understand that use of MAC addresses is part of the RFC standard 
and is legal to circumvent.  My concern here is that it sounds like the 
quite common libuuid may leak MAC address by _default_ i.e. need special 
care at each use that may later be exposed to external hosts.

Cc'ing Daniel explicitly as he has requested in the past to be nudged 
gently regarding security-related issues :-)

 - Jonas

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130720/42eeb3c4/attachment.sig>

More information about the Freedombox-discuss mailing list