[15883] in cryptography@c2.net mail archive
Re: Cryptography and the Open Source Security Debate
daemon@ATHENA.MIT.EDU (John Kelsey)
Tue Aug 10 12:24:54 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 10 Aug 2004 08:16:32 -0400 (GMT-04:00)
From: John Kelsey <kelsey.j@ix.netcom.com>
Reply-To: John Kelsey <kelsey.j@ix.netcom.com>
To: lrk <crypto@ovillatx.sytes.net>,
"R. A. Hettinga" <rah@shipwright.com>
Cc: cryptography@metzdowd.com
> From: lrk <crypto@ovillatx.sytes.net>
> Sent: Aug 6, 2004 1:04 PM
> To: "R. A. Hettinga" <rah@shipwright.com>
> Cc: cryptography@metzdowd.com
> Subject: Re: Cryptography and the Open Source Security Debate
...
> More dangerous is a key generator which deliberately produces keys which
> are easy to factor by someone knowing a secret. These should be found
> in open source but I suggest many reviewers could miss this and again the
> "group think" would probably cause most not to even look.
So, how many people on this list have actually looked at the PGP key generation code in any depth? Open source makes it possible for people to look for security holes, but it sure doesn't guarantee that anyone will do so, especially anyone who's at all good at it.
--John
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
