[cryptography] Intel RNG
jon at callas.org
Mon Jun 18 13:20:35 EDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
On Jun 18, 2012, at 5:26 AM, Matthew Green wrote:
> The fact that something occurs routinely doesn't actually make it a good idea. I've seen stuff in FIPS 140 evaluations that makes my skin crawl.
> This is CRI, so I'm fairly confident nobody is cutting corners. But that doesn't mean the practice is a good one.
I don't understand.
A company makes a cryptographic widget that is inherently hard to test or validate. They hire a respected outside firm to do a review. What's wrong with that? I recommend that everyone do that. Un-reviewed crypto is a bane.
Is it the fact that they released their results that bothers you? Or perhaps that there may have been problems that CRI found that got fixed?
These also all sound like good things to me.
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
-----END PGP SIGNATURE-----
More information about the cryptography