-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Oct 2, 2013, at 12:26 PM, coderman <coder...@gmail.com> wrote:
> On Wed, Oct 2, 2013 at 10:38 AM, Jared Hunter <feralch...@gmail.com> wrote:
>> Aside from the curve change (and even there), this strikes me as a marketing
>> message rather than an important technical choice. The message is "we react
>> to a deeper class of threat than our users understand."
>
>
> it is simpler than that. to signal integrity, and provide assurance,
> it is common not just to avoid impropriety, but to avoid the
> _appearance_ of impropriety.
>
> this change, while not materially affecting security (the weakest link
> in SilentCircle was never the crypto) succeeds in conveying the
> message of integrity as paramount.
>
> so yes, a marketing message, but a simple one. i have no problem with
> this as long as they're not implying that AES or SHA-2 are broken in
> some respect.
Thank you very much for that assessment.
I'm not implying at all that AES or SHA-2 are broken. If P-384 is broken, I
believe the root cause is more that it's old than it was backdoored.
But it doesn't matter what I think. This is a trust issue.
A friend of mine offered this analogy -- what if it was leaked that the
government replaced all of a vaccine with salt water because some nasty jihadis
get vaccinated. This is serious and pretty horrifying.
If you're a responsible doctor, and source your vaccines from the same place,
even if you test them yourself you're stuck proving a negative and in a place
where stating the negative can look like you're part of the conspiracy.
I see this as a way out of the madness. Yes, it's "marketing" if by marketing
you mean non-technical. By pushing this out, we're letting people who believe
there's a problem have a reasonable alternative.
If we, the crypto community, decide that the P-384+AES+SHA2 cipher suite is
just fine, we can walk the decision back. It's just a software change.
Let me also add that I wouldn't fault anyone for deciding differently. We, the
crypto community, need to work together with security and respecting each
other's decisions even if we make different decisions and do different things.
I respect the alternate decision, to stay the course.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSTJzTsTedWZOD3gYRAtsxAJ9CPoZjv+shNwID/ip+9KOcWK/JrQCeKuNv
rZmdU8syRIb+6KmX3xqEHt8=
=W3/0
-----END PGP SIGNATURE-----
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
