> My question is, what is the layperson supposed to do, if they must use > crypto and can't use an off-the-shelf product?
When would that be the case? The only defensible situations I can think of in which a non-crypto-specialist programmer would need to write crypto routines would be an uncommon OS or hardware, or a new or rare programming language which doesn't have libraries available from SourceForge etc. Or maybe implementing an algorithm that's new enough it doesn't have a decent free implementation, but I'm not sure such an algorithm should be used in production code. Indefensible situations include the programmer wanting to write his own crypto because it's cool or because he just knows he can do better than all the specialists (in which case he's too arrogant or ignorant to benefit from a common gotchas list) or the manager telling the programmer to implement it himself for some bad reason (in which case the programmer should explain why that's a bad idea). -- "Oooh, so Mother Nature needs a favor?! Well maybe she should have thought of that when she was besetting us with droughts and floods and poison monkeys! Nature started the fight for survival, and now she wants to quit because she's losing. Well I say, hard cheese." -- Montgomery Burns --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]