[cryptography] the spell is broken

ianG iang at iang.org
Thu Oct 3 05:32:27 EDT 2013


On 2/10/13 20:38 PM, Jared Hunter wrote:
> Aside from the curve change (and even there), this strikes me as a marketing message rather than an important technical choice. The message is "we react to a deeper class of threat than our users understand."


There is a wider concept here.  The NSA has done stuff.  Are we going to 
sit around and accept it?

RSA did.  They accepted what they were told by NIST and by their 
government purchasing contacts, without challenge.  They ignored the 
warnings from the cryptographers.

Now look where that got that them.  Remember Arthur Anderson?  The 
signal of the conviction in court collapsed the oldest most respected 
audit firm within weeks.  That's what RSA is facing...


> Fair enough, but I'd hardly stop using AES or the larger SHA-2 variants on the back of recent news.


So a supplier of integrity is also faced with a much wider question.  It 
isn't just whether AES is scrunched or SHA-2 is fleeced.  It's about who 
the supplier trusts and who the supplier is perceived to trust.

In distancing itself from NIST in as many ways as it can think of, 
Silent Circle is saying "we call the shots in our products."



The upshot here is that some companies of good product are going to 
respond, and they are going to punish NIST and RSA and other suppliers 
by various and many means.

Or, they are not.  Which says what?

Signals matter in security, we've got precious little else we can do 
with the security business than send out the right signals, because for 
the most part, our product can't be audited, can't be verified, and must 
be relied upon, without any foundation of trust except "these are the 
good guys."

Where do you stand?  What signal do you send?



iang


More information about the cryptography mailing list