[148615] in cryptography@c2.net mail archive
Re: [Cryptography] RSA is dead.
daemon@ATHENA.MIT.EDU (Ralf Senderek)
Mon Dec 23 10:28:24 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 23 Dec 2013 09:40:20 +0100 (CET)
From: Ralf Senderek <crypto@senderek.ie>
To: ianG <iang@iang.org>
In-Reply-To: <20131223081228.724D823484@laptop.kerry-linux.ie>
Cc: Cryptography <cryptography@metzdowd.com>
Reply-To: Ralf Senderek <crypto@senderek.ie>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Mon, 23 Dec 2013, ianG wrote:
> Open Source as a guarantee of security is really just the marketing of
> the open source folk. It certainly helps but collecting those smart
> eyeballs isn't as easy as saying it.
>
> iang
Of course open source is never a guarantee, I didn't say that. We should
not confuse a necessary condition with a sufficient one. But the RSA (Inc)
marketing implied that closed-shop trusted expert crypto is superior to
open source crypto products. And that is certainly false.
As Peter, Dirk-Willem and Jerry rightly pointed out, it is very difficult
to find crafted backdoors even in open source products. But just because
something is difficult, that doesn't mean it should not be done.
With open source it can be done. But some essential changes are needed.
Those who have the ability to check crypto code must be actively engaged
by the community / society. If there is no incentive nor any substantial
acknowledgement of this important work, if code audit is mainly seen as
private activity with no financial rewards, then yes, we can forget
security.
--ralf
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
