[Discuss] Good and Bad Crypto

[Richard Pieri]

Mike Small wrote:
> heartbeat requirement at all for the TCP case, but it's always a bug to
> take external untrusted data at its word in this way.

I maintain that this isn't a bug; it's willful stupidity.


> Perhaps. There may be an economic argument why Open Source, or some
> parts of it, isn't getting enough attention from enough of the right
> people. I don't know. I only have trouble with the idea that having

Most of the right people when it comes to crypto are identified by 
security agencies very quickly, and then either recruited or constrained 
before they pose any threat -- which is to say, before they can 
contribute substantially to either open source or proprietary ventures. 
Of those who remain, the ones who aren't good enough for the NSA and 
similar agencies, most either end up working for big companies like 
Microsoft and Google, because these are the only ones that can afford 
their salaries, or start their own security-related companies.

> source and not having source is equivalent all else being equal (is this
> a strawman? I thought that's what was being said in places). I remember

I didn't say equivalent. I said equal trustworthiness. If two 
cryptographic modules perform identically under the same rigorous test 
conditions then they are equally trustworthy under those and similar 
conditions. The nature of the code license is irrelevant to the 
functional results.

-- 
Rich P.