At 03:38 PM 8/10/00, Michael Paul Johnson wrote:
>In case you haven't figured it out, yes, I am seriously contemplating
>writing such a book.
There's certainly a need for defensive programming books oriented towards
security functions, and crypto functions in particular. On the other hand,
there's probably not much need to publish more source code of crypto
algorithms, which is where most of the export control misery resides.
In my own experience, the hard part of building secure software is to
establish the right set of security requirements. Once a good programmer
understands and implements the right requirements, the product should be
OK, assuming that the serious implementation bugs have been found and
fixed. Secure Computing builds some very strong stuff that way.
Originally I intended "Internet Cryptography" as a book for programmers,
and I emphasized the problem of identifying security requirements. The book
has a list of requirements for just about every component choice in a
crypto system. Also, one of the nasty parts of book writing is that of
deciding what material to include and what to omit. I used the lists of
requirements to determine what technical concepts to describe -- I tried to
include everything necessary to explain and justify the individual
requirements, and omitted the rest.
But I found that the really important requirements applied as much to
network administrators who simply bought stuff off the shelf and installed
it. So the book doesn't have much of a programming flavor, especially since
I didn't address defensive programming techniques.
>What would you like to see on the CD-ROM that looks like it would fit
>export license exception TSU (open source, no explicit requirement for
>payment, no key size limits)?
A friend of mine bundled a CD with her book, and she found it to be a
negative. The stuff on the CD was posted to a web site anyway, and the CD
simply jacked up the cost of the book, reducing reader appeal. Check with
your publisher -- the CD probably adds a few bucks to the production
process which in turn adds $5-$10 to the retail cost.
Rick.
[EMAIL PROTECTED]