[cryptography] the spell is broken
iang at iang.org
Thu Oct 3 05:32:27 EDT 2013
On 2/10/13 20:38 PM, Jared Hunter wrote:
> Aside from the curve change (and even there), this strikes me as a marketing message rather than an important technical choice. The message is "we react to a deeper class of threat than our users understand."
There is a wider concept here. The NSA has done stuff. Are we going to
sit around and accept it?
RSA did. They accepted what they were told by NIST and by their
government purchasing contacts, without challenge. They ignored the
warnings from the cryptographers.
Now look where that got that them. Remember Arthur Anderson? The
signal of the conviction in court collapsed the oldest most respected
audit firm within weeks. That's what RSA is facing...
> Fair enough, but I'd hardly stop using AES or the larger SHA-2 variants on the back of recent news.
So a supplier of integrity is also faced with a much wider question. It
isn't just whether AES is scrunched or SHA-2 is fleeced. It's about who
the supplier trusts and who the supplier is perceived to trust.
In distancing itself from NIST in as many ways as it can think of,
Silent Circle is saying "we call the shots in our products."
The upshot here is that some companies of good product are going to
respond, and they are going to punish NIST and RSA and other suppliers
by various and many means.
Or, they are not. Which says what?
Signals matter in security, we've got precious little else we can do
with the security business than send out the right signals, because for
the most part, our product can't be audited, can't be verified, and must
be relied upon, without any foundation of trust except "these are the
Where do you stand? What signal do you send?
More information about the cryptography