[114222] in cryptography@c2.net mail archive
Re: Dutch Transport Card Broken
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?Ivan_Krsti=C4=87?=)
Tue Jan 29 11:57:33 2008
Cc: Aram Perez <aramperez@mac.com>,
Cryptography <cryptography@metzdowd.com>
From: =?UTF-8?Q?Ivan_Krsti=C4=87?= <krstic@solarsail.hcs.harvard.edu>
To: Perry E. Metzger <perry@piermont.com>
In-Reply-To: <87ejc66i36.fsf@snark.cb.piermont.com>
Date: Tue, 29 Jan 2008 14:59:12 +0100
On Jan 25, 2008, at 4:27 PM, Perry E. Metzger wrote:
> However, you should be very skeptical when someone claims that they =20=
> "need" to use a home grown crypto algorithm or that they "need" to =20
> use a home grown protocol instead of
> a well proven one.
I'm beginning to suspect that more often than not, this nonsense is a =20=
result of market forces rather than idiot technologists. In my =20
experience, senior decision-maker types outside of the computer =20
industry (and even within it, but perhaps a tad less so) are =20
sufficiently non-technical as to never have heard of Kerckhoffs' =20
principle -- and to disbelieve it when they do, since it opposes their =20=
intuition of what makes for secure systems. Various companies (or =20
departments) then emerge peddling their home-grown crypto and =20
trumpeting the fact that it's proprietary as a feature, commonly going =20=
hand in hand with stupidly large key sizes.
Some number of these muppets approached me over the last couple of =20
years offering to donate a free license for their excellent products. =20=
I used to be more polite about it, but nowadays I ask that they Google =20=
the famous Gutmann Sound Wave Therapy[0] and mail me afterwards.
I've never heard back.
[0] Last paragraph, http://diswww.mit.edu/bloom-picayune/crypto/14238
--
Ivan Krsti=C4=87 <krstic@solarsail.hcs.harvard.edu> | http://radian.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
