[cryptography] Intel RNG

Jon Callas jon at callas.org
Mon Jun 18 13:20:35 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Jun 18, 2012, at 5:26 AM, Matthew Green wrote:

> The fact that something occurs routinely doesn't actually make it a good idea. I've seen stuff in FIPS 140 evaluations that makes my skin crawl. 
> 
> This is CRI, so I'm fairly confident nobody is cutting corners. But that doesn't mean the practice is a good one. 

I don't understand.

A company makes a cryptographic widget that is inherently hard to test or validate. They hire a respected outside firm to do a review. What's wrong with that? I recommend that everyone do that. Un-reviewed crypto is a bane.

Is it the fact that they released their results that bothers you? Or perhaps that there may have been problems that CRI found that got fixed?

These also all sound like good things to me.

	Jon



-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

wj8DBQFP32NnsTedWZOD3gYRAuxbAKCvzWt3/+jKq5VadSBLBo6hfT9L8wCeJT15
8e6Ll1xBvXe8IojvRDvksXw=
=jAzX
-----END PGP SIGNATURE-----



More information about the cryptography mailing list