On 1/7/2015 1:46 PM, shawn wilson wrote:
On Wed, Jan 7, 2015 at 1:26 PM, Kevin <[email protected]> wrote:
Any company could review it and decide if it's worth using or not.
Ok, lets run with that - as a company, show me the steps (make file, a
test suite in any programming language, or just english if you
prefer), explain to me the steps one would go through to verify your
crypto isn't battshit crazy?
There have discussions about frameworks to test crypto on this list
and iirc a few exist but I haven't gone though the time to figure out
how to implement something. So, if you (or anyone else) has a
verification method, I'm all ears.
And, I'm not the smartest one (on this list or even the smartest
sysadmin) but if I don't know, I wouldn't expect at least the majority
of other devs/admins to know how to verify your crypto past the
simplest code review (I wouldn't have a clue how to besides fuzzing
some stuff from the outside).
Hence I say, it's a mistake to publish any toy you want to call "crypto".
Surely a company would pay top dollar to protect itself. Oh and let's
not rule out good sense. If you feel in your gut that you can't trust
something, that probably is a good instinct. As a security nut I use
this policy and it works for me.
--
Kevin
---
This email is free from viruses and malware because avast! Antivirus protection
is active.
http://www.avast.com
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
