>From [email protected] Fri Jan 17 >14:56:02 2014 >Date: Fri, 17 Jan 2014 13:15:22 -0800 >From: Christopher Ahrens <[email protected]> >User-Agent: Mozilla/5.0 (X11; OpenBSD i386; rv:22.0) Gecko/20100101 >Firefox/22.0 SeaMonkey/2.19 >MIME-Version: 1.0 >To: MJ <[email protected]>, Christian Weisgerber <[email protected]> >CC: misc <[email protected]> >Subject: Re: NIST-free crypto, autociphering, and libsodium (NaCl) >References: <[email protected]> ><[email protected]> ><[email protected]> ><[email protected]> ><[email protected]> >In-Reply-To: <[email protected]> >Content-Type: text/plain; charset=windows-1252; format=flowed >Content-Transfer-Encoding: 8bit >List-Help: <mailto:[email protected]?body=help> >List-ID: <misc.openbsd.org> >List-Owner: <mailto:[email protected]> >List-Post: <mailto:[email protected]> >List-Subscribe: <mailto:[email protected]?body=sub%20misc> >List-Unsubscribe: <mailto:[email protected]?body=unsub%20misc> >X-Loop: [email protected] >Precedence: list >Sender: [email protected] > >MJ wrote: >> On 17 Jan 2014, at 17.30, Christian Weisgerber <[email protected]> wrote: >>> >>> As guenther@ has pointed out, refusing all crypto covered by that >>> definition is silly. But even if you limit yourself to the >>> specification part, you should be very disappointed about the newly >>> added Curve25519 key exchange and Ed25519 signing in OpenSSH, because >>> as implemented both rely on SHA-2 cryptographic hashes, which were >>> not only specified by NIST, but in fact designed by the NSA. >>> >>> Of course mainstream cryptographers don't think that SHA-2 is >>> insecure, much less backdoored, but that again raises the question: >>> What do mean by that "NIST crypto" you want to avoid? >>> >>> -- >>> Christian "naddy" Weisgerber [email protected] >>> >> >> Hi, >> >> Consider for a moment the difference between objective thinking and >Since we have to use those ciphers anyway (to communicate with everyone >else on the internet not wearing a tin-foil hat), why don't we just >audit the code implementing those ciphers? We have the source, so any >one versed in cryptography (I'm sure there are more than a few lurking >around here) can check it out. This would help a lot more people than >just us.
Perhaps you are not a native english speaker because you have used that word "we" to hand work to us. Maybe after we finish that crypto audit you propose (which we never thought of before), next week we'll take on the starving children in africa problem, or peace in the middle east. Because apparently we are capable of doing everything, even with no resources. Let me explain who we are: We're an operating system idea incubation project, all hobbyist volunteers, held together with some hackathons and duct tape. We don't take tasks from others, because we have more than enough directions planned ourselves. We are people who do things that interest us, a microcosm of the the greater community, trying to push the frontiers forward a little bit, that's all we are. So can everyone please stop trying to throw more scope at us? If you want it done, do it yourself.
