[Discuss] Good and Bad Crypto

[Mike Small]

john saylor <js0000 at gmail.com> writes:

> On 4/22/14, 14:37 , Edward Ned Harvey (blu) wrote:
>> You're saying, that the only way anybody in the world can trust
>> anything, is to literally download everything from source, *read*
>> all the source, and compile it themselves.
>
> instead of just calling "bs" can you suggest some other means by which
> you can trust crypto software?
>
> if you're not doing this work [source examination and local compile]
> then what are you basing your trust upon?
>
> someone else's word? someone else's audit report? what other means are
> available to you?

There's always FIPS 140 certification:
http://oss-institute.org/latest-news/248-openssl-announces-new-fips-140-2-validation-

But it appears that the testing labs doing that insist that at least
they themselves get to see the source code:
http://www.albany.edu/acc/courses/ia/acc661/sp800-29.pdf

I would agree that my studying all the source code I run isn't
realistic.  (Nonetheless it's nice to daydream about running a system
simple enough where that's almost feasible -- minix? plan 9?)  I've
spent hours here and there this week just trying to read enough X source
to figure out whether I'm right in thinking I need to do the following
to use the security extension or if there's a more direct way and
whether there's a way to mark XVideo as a secure extension. The
documentation isn't very clear about what access you already need before
running xauth generate.

(trusted_user) $ xhost +si:localuser:untrusted_user
(trusted_user) $ su -l untrusted_user -c xterm
(untrusted_user) $ xauth generate :0 . timeout 10000
(trusted_user) $ xhost -si:localuser:untrusted_user
(untrusted_user) $ firefox & mplayer & etc.

Auditing everything I use would be too much time, and I don't have the
skill. It's the wider world I'm counting on, but ideally, it would be a
wider group than a single company's development department or that
company plus a single government test lab.