-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Jun 18, 2012, at 5:26 AM, Matthew Green wrote:
> The fact that something occurs routinely doesn't actually make it a good
> idea. I've seen stuff in FIPS 140 evaluations that makes my skin crawl.
>
> This is CRI, so I'm fairly confident nobody is cutting corners. But that
> doesn't mean the practice is a good one.
I don't understand.
A company makes a cryptographic widget that is inherently hard to test or
validate. They hire a respected outside firm to do a review. What's wrong with
that? I recommend that everyone do that. Un-reviewed crypto is a bane.
Is it the fact that they released their results that bothers you? Or perhaps
that there may have been problems that CRI found that got fixed?
These also all sound like good things to me.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFP32NnsTedWZOD3gYRAuxbAKCvzWt3/+jKq5VadSBLBo6hfT9L8wCeJT15
8e6Ll1xBvXe8IojvRDvksXw=
=jAzX
-----END PGP SIGNATURE-----
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
