Bernhard Kuemel wrote: > And surely you would apply your opinion to any kind of > cryptography like pgp, ssl, etc. There are millions of users out > there who do not have the skills (programming, mathematics) to > verify such code. Calling them beyond stupid for that is > inappropriate. Blindly relying on software may be foolish, but if > you keep an open eye for warnings from those that have the skills > and do verify the code of popular software it is ok. Agreed strongly. I am a (perhaps) adequate programmer, and I can use crypto toolkits and/or impliment algos I find in books/online I freely admit I don't have a hope in hell of finding a flaw in the crypto itself - that is why I stick to peer-reviewed algos and, where possible, crypto libraries that other programmer/cryptographers have peer-reviewed (yes, I try to carry out my own source-code reviews. no, I don't have the time or resources to evaluate a big project like pgp 6.x; I certainly compile my own ckt builds, but I have reviewed less than 5% of the code, which is probably a lot more than most skilled programmers would even bother to do - and even then, mostly in modules that are concerned with memory locking (as I am more interested in how pgp does this than the crypto itself)
> And - who guarantees that the code that is published is the same > that is used on the servers? well, I would - I wouldn't dream of running a server whose code I hadn't compiled myself; I would also zip up source, zip up binaries and detached-sign both to form a final archive available for download from my server. However, how far can I take that? assuming that I run linux and compile my own kernel and ssl/ssh/etc - how much *can* I compile by myself and not spend my entire life checking for (for example) K&R style self replicating patchers in the compiler? There is a line beyond which a healthy paranoia about security becomes a unhealthy obsession which paralyses the user from ever performing ANY actions. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
