> Victor Duchovni wrote: > > Because in amost all cases that's exactly the right advice. > > > > The cryptography learning that is sufficient and desirable is from books > > such as "Applied Cryptography" which cover protocols and algorithms > > at a high level. Studying the implementation or creating ones own > > implementation is for experts who don't need to ask questions, or ask > > sufficiently interesting questions that it is clear they are experts.
> As soon as someone tells me that I shouldn't learn about something and > that it is my best interests to remain ignorant, I no longer trust that > thing, or the people giving the advice. This is especially true of crypto. > > Regards, > Graham He didn't say you shouldn't learn about something or that it's in your best interests to remain ignorant, he pointed out that you are starting in completely the wrong place. If you honestly thing investigating the implementation of OpenSSL will yield you useful information on whether or not you should trust it, you are seriously deluded. The implementation of OpenSSL is regularly scrutinized by real honest-to-goodness cryptography experts, and if you look at the last ten significant security issues found in OpenSSL, there's maybe one that could conceivably have been located by someone who is not a serious crypto expert. On the flip side, it's easy for a non-export to screw it up by thinking there's something he can/should mess with in there. For example: http://blogs.computerworld.com/fixing_debian_openssl You are barking up the wrong tree and ignoring good advice. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org