On Wed, Feb 22, 2012 at 2:53 AM, James A. Donald <[email protected]> wrote: > On 2012-02-22 12:31 PM, Kevin W. Wall wrote: >> 1) They think that key size is the paramount thing; the bigger the >> better. >> 2) The have no clue as to what cipher modes are. It's ECB by default. >> 3) More importantly, they don't know how to choose a cipher mode (not >> surprising, given #2). They need to understand the trade-offs. >> 4) They have no idea about how to generate keys, derived keys, IVs, >> 5) They don't know what padding is, or when/why to use it. >> 6) They have a very naive concept of entropy...where/when to use it >> and from where and how to obtain it. > > The debian debacle was none of the above - the patch was simply obviously > stupid even if one had no idea about what the software was supposed to be > doing. Remember, OpenSSL gave tacit approval: "If it helps with debugging, I'm in favor of removing them," http://www.mail-archive.com/[email protected]/msg21156.html.
OpenSSL Team Members: http://www.openssl.org/about/. Jeff Jeff _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
