I'm really not going to take this up on these lists any more. You
folks should mostly know how I feel about this, and I've attacked
Vin's employer enough hereabouts. But he did lure me out with a
couple of bits.
2000-01-11-22:27:48 Vin McLellan:
> 1. Mr. Todd [...] said that he believed that RSA's BSAFE
> code was susceptable to a buffer overrun vulnerability recently
> discovered in RSAREF.
What I said, quoting my words quoted in an earlier note by Vin:
->RSADSI forces people within the US who want to use RSA for
->non-commercial purposes to use RSAREF. They sell a closed-source,
->proprietary BSAFE lib, which may or may not have similar problems
->(I'd guess it does, since they're not programmers).
RSADSI has publicly claimed that BSAFE does not in fact have the
precise problem that RSAREF had, and that's good enough for Vin. All
else is supposition. I said "I'd guess it does [have similar
problems]". That's a combination of my belief in the importance of
open code review, which BSAFE has not enjoyed, along with the known
quality of the code offered by RSADSI. I have less respect for that
latter than Vin does. My opinion is more influenced by second-hand
remarks, including some from Vin, than from first-hand experience
with the code; all I've done is run it, never peered under the hood,
and aside from finding it slower than some competitors I know little
personally about it.
> Mr. T also made what I called several "obscenely ill-informed"
> comments about the quality of RSA's staff and crypto engineering.
By repeatedly conflating all companies in any way associated
with RSA we get to draw in various competant people into the big
umbrella. I took some care to try and confine my remarks to RSADSI;
perhaps that was a waste of effort.
It's possible that good programmers actually did work on BSAFE for
all I know; people have done the strangest things. But it's for sure
that BSAFE doesn't compete on its merits, it competes under threat
from lawyers. Which threat gets defanged on September 29 of this
year.
> Mr. T hates RSA because he believes RSADSI was to blame for the US
> Patent Office's decision to permit cryptosystems like RSApkc to be
> patented.
Nope. I've not said that, and don't believe it. Sure, granting
patents algorithms is insane, and using the ability to do so to
blackmail people into using your inferior product is amoral and
evil. But they didn't start the practice, they've just attempted to
profit from it.
-Bennett
PGP signature
