Theo de Raadt wrote:
MJ wrote:
On 17 Jan 2014, at 17.30, Christian Weisgerber <[email protected]> wrote:
As guenther@ has pointed out, refusing all crypto covered by that
definition is silly. But even if you limit yourself to the
specification part, you should be very disappointed about the newly
added Curve25519 key exchange and Ed25519 signing in OpenSSH, because
as implemented both rely on SHA-2 cryptographic hashes, which were
not only specified by NIST, but in fact designed by the NSA.
Of course mainstream cryptographers don't think that SHA-2 is
insecure, much less backdoored, but that again raises the question:
What do mean by that "NIST crypto" you want to avoid?
--
Christian "naddy" Weisgerber [email protected]
Hi,
Consider for a moment the difference between objective thinking and
Since we have to use those ciphers anyway (to communicate with everyone
else on the internet not wearing a tin-foil hat), why don't we just
audit the code implementing those ciphers? We have the source, so any
one versed in cryptography (I'm sure there are more than a few lurking
around here) can check it out. This would help a lot more people than
just us.
Perhaps you are not a native english speaker because you have used
that word "we" to hand work to us.
No, I'm not a native speaker, some of the pronouns still confuse me.
By 'we' I meant one of us in the community that would be willing to do
it, despite no real justification other than paranoia, not the
community as a whole.
Maybe after we finish that crypto audit you propose (which we never
thought of before), next week we'll take on the starving children in
africa problem, or peace in the middle east.
What I meant was that it would be a better use of time to audit the
ciphers (Which I am more than sure has been done numerous times) than
it would be to replace all our encryption with an obscure cipher
because the current ciphers may or may not have a backdoor that has
managed to go unnoticed for many years and has been looked at by many
experts.
The only reason I say that 'it would help more than just us' is that
I'm tired of broken ciphers in other OSes causing systems to be
compromised and start spamming me with shit and would rather they used
our code. In reality, I don't give a shit about any else who doesn't
pay me, make my life easier or make my life more enjoyable.
Because apparently we are capable of doing everything, even with no
resources.
Let me explain who we are: We're an operating system idea incubation
project, all hobbyist volunteers, held together with some hackathons
and duct tape. We don't take tasks from others, because we have more
than enough directions planned ourselves. We are people who do things
that interest us, a microcosm of the the greater community, trying to
push the frontiers forward a little bit, that's all we are.
So can everyone please stop trying to throw more scope at us? If you
want it done, do it yourself.
I don't want to throw more stuff at anyone, my intention was to kill
something that would just waste our time replacing working code with
possibly broken code for no real gain.
