Getting crypto protocols right is very difficult. Lots of "obvious" and "simple" approaches are vulnerable to attacks. That is why NSS encourages the use of vetted crypto protocols and does not encourage roll-your-own crypto protocols.
However, the fact remains that many applications (of which the one mentioned by the original poster might or might not be one) do require only one or two algorithms, to be included in the application build-base in source form. No such resource is readily available on the net - most crypto libraries (NSS included) are just a horrible mess from the software engineering point of view. Whether or not poor software engineering can still produce good security ought to be seriously examined.
Roger
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
