On Sat, Oct 5, 2013 at 3:13 PM, Erwann Abalea wrote:
>
> 2013/10/4 Paul Wouters
>>
>> [...]
>> People forget the NSA has two faces. One side is good. NIST and FIPS
>> and NSA are all related. One lesson here might be, only use FIPS when
>> the USG requires it. That said, a lot of FIPS still make
2013/10/4 Paul Wouters
> [...]
> People forget the NSA has two faces. One side is good. NIST and FIPS
> and NSA are all related. One lesson here might be, only use FIPS when
> the USG requires it. That said, a lot of FIPS still makes sense. I'm
> surely not going to stick with md5 or sha1.
>
>
W
On 4/10/13 10:52 AM, Peter Gutmann wrote:
Jon Callas writes:
In Silent Text, we went far more to the "one true ciphersuite" philosophy. I
think that Iang's writings on that are brilliant.
Absolutely. The one downside is that you then need to decide what the OTS is
going to be. For example
On 04/10/13 22:58, Jeffrey Goldberg wrote:
On 2013-10-04, at 4:24 AM, Alan Braggins wrote:
Surely that's precisely because they (and SSL/TLS generally) _don't_
have a One True Suite, they have a "pick a suite, any suite" approach?
And for those of us having to choose between preferring BEAST
On 2013-10-05 10:44, Jeffrey Walton wrote:
On Thu, Oct 3, 2013 at 10:32 PM, James A. Donald wrote:
On 2013-10-04 11:41, Jeffrey Walton wrote:
We could not get rid of Trustwave in the public sector (so much for
economics).
What is wrong with trustwave?
The company operates in an industry wher
On Thu, Oct 3, 2013 at 10:32 PM, James A. Donald wrote:
> On 2013-10-04 11:41, Jeffrey Walton wrote:
>>
>> We could not get rid of Trustwave in the public sector (so much for
>> economics).
>
> What is wrong with trustwave?
The company operates in an industry where trust is a commodity. The
compan
On Fri, Oct 4, 2013 at 6:55 PM, Jeffrey Goldberg wrote:
>> b) algorithm agility is useless if you don't have algorithms to choose
>> from, or if the ones you have are all in the same "family”.
>
> Yep.
>
> And even though that was the excuse for including Dual_EC_DRBG among the
> other DBRGs, does
On 2013-10-04, at 5:19 PM, Nico Williams wrote:
> There's a lesson here. I'll make it two for now:
>
> a) algorithm agility *does* matter; those who say it's ETOOHARD should
> do some penitence;
Mea culpa! (Actually I never spoke up on this before)
But I do think that difficulty of implementa
On Fri, Oct 4, 2013 at 4:58 PM, Jeffrey Goldberg wrote:
> On 2013-10-04, at 4:24 AM, Alan Braggins wrote:
>
>> Surely that's precisely because they (and SSL/TLS generally) _don't_
>> have a One True Suite, they have a "pick a suite, any suite" approach?
>
> And for those of us having to choose be
On 2013-10-04, at 4:24 AM, Alan Braggins wrote:
> Surely that's precisely because they (and SSL/TLS generally) _don't_
> have a One True Suite, they have a "pick a suite, any suite" approach?
And for those of us having to choose between preferring BEAST and RC4
for our webservers, it doesn’t loo
On 04/10/13 08:52, Peter Gutmann wrote:
Jon Callas writes:
In Silent Text, we went far more to the "one true ciphersuite" philosophy. I
think that Iang's writings on that are brilliant.
Absolutely. The one downside is that you then need to decide what the OTS is
going to be. For example Mo
Jon Callas writes:
>In Silent Text, we went far more to the "one true ciphersuite" philosophy. I
>think that Iang's writings on that are brilliant.
Absolutely. The one downside is that you then need to decide what the OTS is
going to be. For example Mozilla (at least via Firefox) seems to thin
On 2013-10-04 08:54, Eric Murray wrote:
NSA can act through people outside NIST too.
Committees tend to wind up controlled by evil conspiracies. That is
another advantage of having standards set by an unelected president for
life instead of a committee.
A committee multiplies the points of
On 2013-10-04 11:26, Jeffrey Goldberg wrote:
But not using AES is a protest that hurts only ourselves.
I have always been inclined to believe that that twofish is better than AES.
Refusing to use AES, or making it the non default choice, is rejecting
NIST as a standards body.
We need to rej
On 2013-10-04 11:41, Jeffrey Walton wrote:
We could not get rid of Trustwave in the public sector (so much for
economics).
What is wrong with trustwave? They are smart people, unlike the world
bank economists who do not know the difference between negative feedback
and positive feedback, or
On Thu, Oct 3, 2013 at 9:26 PM, Jeffrey Goldberg wrote:
>...
>
> I would put it more strongly than that. I think that NIST needs to be
> punished. Even if Dual_EC_DRBG were their only lapse, any entity that has
> allowed themselves to be used that way should be forced to exit the business
> of
Jon, first of all thank you for your extremely thoughtful note.
I suspect that we will find that we don’t actually disagree about much, and
also my previous rant was driven by the general anger and frustration that all
of us are experiencing. That is, I amy have been misdirecting my anger at the
"James A. Donald" writes:
>By moving away from anything NIST has touched he deprives the NSA of leverage
>to insert backdoors,
Just as a bit of a counterpoint here, how far do you want to go down this
rathole? Someone recently pointed me to the latest CERT vuln. summary
(because of a few intere
On 2013-10-04 08:04, Paul Wouters wrote:
Reasoning that way, you're very quickly left with not but a tin foil
hat. Let's say we agree on twofish. then NIST/NSA certifies it for FIPS.
Are we than taking that as proof it is compromised and figure out
something else?
If people were adopting twofi
On 10/03/2013 03:22 PM, James A. Donald wrote:
> By moving away from anything NIST has touched he deprives the NSA of
> leverage to insert backdoors,
NSA can act through people outside NIST too.
By focusing on NIST we miss the larger problem. Any cryptographer or
security engineer can be comprom
On 2013-10-04 07:31, Jon Callas wrote:
absolutely, this is an emotional response. It's protest. Intellectually, I
believe that AES and SHA2 are not compromised. Emotionally, I am angry and I
want to distance myself from even the suggestion that I am standing with the
NSA. As Coderman and Iang
Not quite.
If people agree on Twofish and a generalized standard outside of NIST,
then if NIST picks it up and agrees as well there isn't much concern.
The problem is with older existing standards or if NIST provides
unexplained changes or magic values to the standard.
On 03/10/2013 4:04 PM, Paul
On Thu, 3 Oct 2013, Kelly John Rose wrote:
I short, I feel that all trust for NIST has to be broken. It doesn't
matter if AES or SHA-2 is broken or not broken. You cannot go into a
security environment with a tool that is known to be compromised
(NIST) and just hope and pray that the pieces you
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I agree fully Jon,
I short, I feel that all trust for NIST has to be broken. It doesn't
matter if AES or SHA-2 is broken or not broken. You cannot go into a
security environment with a tool that is known to be compromised
(NIST) and just hope and pray
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Oct 3, 2013, at 7:13 AM, Jeffrey Goldberg wrote:
Jeff,
You might call it "security theatre," but I call it (among other things)
"protest." I have also called it "trust," "conscience," and other things
including "emotional." I'm willing to call
On 2013-10-03, at 1:28 PM, James A. Donald wrote:
> On 2013-10-04 00:13, Jeffrey Goldberg wrote:
>> So unless you and Silent Circle have information that the rest of us don’t
>> about AES and SHA-2, I’m actually pissed off at this action. It puts more
>> pressure on us to follow suit, even thou
On 2013-10-04 00:13, Jeffrey Goldberg wrote:
So unless you and Silent Circle have information that the rest of us don�t
about AES and SHA-2, I�m actually pissed off at this action. It puts more
pressure on us to follow suit, even though such a move would be pure security
theater.
You have to
On 2013-10-04 02:03, Jared Hunter wrote:
One of the biggest issues we're wrestling with, I think, is that the crypto
community already decided that AES and SHA-2 are just fine.
In large part because we trusted NIST. If we do not trust NIST ...
___
On Oct 2, 2013, at 6:23 PM, Jon Callas wrote:
[snipped quoted text]
> I'm not implying at all that AES or SHA-2 are broken. If P-384 is broken, I
> believe the root cause is more that it's old than it was backdoored.
>
> But it doesn't matter what I think. This is a trust issue.
First, thank
I would also state though, to avoid being too conspiratorial. That it
can also imply that AES is simply in peril and they want to move off of
it before it is fully broken.
On 02/10/2013 6:49 PM, James A. Donald wrote:
> On 2013-10-03 04:50, d.nix wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Has
On 2013-10-02, at 5:23 PM, Jon Callas wrote:
> A friend of mine offered this analogy -- what if it was leaked that the
> government replaced all of a vaccine with salt water because some nasty
> jihadis get vaccinated. This is serious and pretty horrifying. If you're a
> responsible doctor, an
On 2013-10-03 21:56, coderman wrote:
On Thu, Oct 3, 2013 at 4:28 AM, James A. Donald wrote:
...
He does not believe that AES and SHA-2 rest are necessarily broken - but
neither does he believe that they are not broken.
there is a significant difference between avoiding a cipher on principle,
On Thu, Oct 3, 2013 at 4:28 AM, James A. Donald wrote:
> ...
> He does not believe that AES and SHA-2 rest are necessarily broken - but
> neither does he believe that they are not broken.
there is a significant difference between avoiding a cipher on principle,
or association, or abundance of c
On 2013-10-03 19:16, coderman wrote:
On Wed, Oct 2, 2013 at 5:49 PM, James A. Donald wrote:
...
So, people who actually know what they are doing are acting as if they know,
or have good reason to suspect, that AES and SHA-2 are broken.
James this is not true.
i challenge you to find reputabl
On 2/10/13 20:38 PM, Jared Hunter wrote:
Aside from the curve change (and even there), this strikes me as a marketing message
rather than an important technical choice. The message is "we react to a deeper
class of threat than our users understand."
There is a wider concept here. The NSA ha
On Wed, Oct 2, 2013 at 5:49 PM, James A. Donald wrote:
> ...
> So, people who actually know what they are doing are acting as if they know,
> or have good reason to suspect, that AES and SHA-2 are broken.
James this is not true.
i challenge you to find reputable positions backing this assertion
On 3/10/13 01:23 AM, Jon Callas wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Oct 2, 2013, at 12:26 PM, coderman wrote:
On Wed, Oct 2, 2013 at 10:38 AM, Jared Hunter wrote:
Aside from the curve change (and even there), this strikes me as a marketing message
rather than an import
For reflection: What percent of domestic and global communications are
protected from the collection of plaintext or session information by AES?
Who has the capability and the desire to avoid going dark on that portion of
data flows? Is this an example of a high-value target for corruption? If t
On 2013-10-03 04:50, d.nix wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yeah, it may well be just marketing. The one thing that gives me pause
is that Callas and Schneier are both part of the team that worked on
the systems they have chosen to migrate to (Twofish, Skein), and
Schneier
On 2013-10-03 05:26, coderman wrote:
this change, while not materially affecting security (the weakest link
in SilentCircle was never the crypto) succeeds in conveying the
message of integrity as paramount.
so yes, a marketing message, but a simple one. i have no problem with
this as long as the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Oct 2, 2013, at 12:26 PM, coderman wrote:
> On Wed, Oct 2, 2013 at 10:38 AM, Jared Hunter wrote:
>> Aside from the curve change (and even there), this strikes me as a marketing
>> message rather than an important technical choice. The message i
On Wed, Oct 2, 2013 at 10:38 AM, Jared Hunter wrote:
> Aside from the curve change (and even there), this strikes me as a marketing
> message rather than an important technical choice. The message is "we react
> to a deeper class of threat than our users understand."
it is simpler than that.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Correction; Callas worked on Threefish, not Twofish, however the
Schneier connection still holds given their past and present
associations...
On 10/2/2013 11:50 AM, d.nix wrote:
>
>
> Yeah, it may well be just marketing. The one thing that gives me
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yeah, it may well be just marketing. The one thing that gives me pause
is that Callas and Schneier are both part of the team that worked on
the systems they have chosen to migrate to (Twofish, Skein), and
Schneier is one of the very few people to see
Aside from the curve change (and even there), this strikes me as a marketing
message rather than an important technical choice. The message is "we react to
a deeper class of threat than our users understand."
Fair enough, but I'd hardly stop using AES or the larger SHA-2 variants on the
back of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Callas' blog post:
http://silentcircle.wordpress.com/2013/09/30/nncs/
On 10/2/2013 8:41 AM, ianG wrote:
> http://www.infoworld.com/print/228000
>
> October 02, 2013 Silent Circle moves away from NIST cryptographic
> standards, cites NSA concerns Th
http://www.infoworld.com/print/228000
October 02, 2013
Silent Circle moves away from NIST cryptographic standards, cites NSA
concerns
The company plans to replace AES and SHA-2 with Twofish and Skein in its
encrypted communication services
By Lucian Constantin | IDG News Service
Silent Circle
47 matches
Mail list logo