Verification code not strong enough #2
Description
It is very simple to create a version of this generator that will generate correct verification codes for arbitrary timestamps, which would allow someone to practice a seed and submit and stream it for the correct time.
My problem isn't with the verification code itself, but the trust that is put on it by the community.
Example
- Replace hashing of the source code with the hash-result of the "correct" version
- Hardcode wanted timestamps or redirect
time(NULL)calls (doesn't even require (1))
Result
This means a seed and verification code do not verify:
- Time of creation of the seed
- Use of generator code/version
The only information that is verified:
- Use of cipher to generate seed
- Number of iterations
- IV of cipher
The verified information seems not useful to the FSG community as it is just a byproduct of how this exact generator-filter works, and it should be communicated that the verification code does not verify correct usage of the generator by the FSG rules.