Am 05.01.2014 14:40, schrieb Ansgar Wiechers: > On 2014-01-05 li...@rhsoft.net wrote: >> Am 05.01.2014 13:58, schrieb Andreas Schulze: >>> the documentation to these parameters refers the NSA website. However >>> the links are broken. Also I don't feel very comfortable these days >>> if postfix uses crypto approved by NSA :-/ >> >> backed by more than FUD? >> people tend to forget that the NSA has *two* goals >> >> * intrusion in foreign systems >> * protect US infrastructure >> >> point 2 makes http://www.nsa.gov/business/programs/elliptic_curve.shtml >> not more worse than a year ago where nothing was different except nobody >> knew what happened over years > > <http://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters> > > <german> > Fefe blogged about this back in September. > > https://blog.fefe.de/?ts=acceb732 > </german>
the problem here is that Fefe as well as Bruce Schneier (and yes i know who the guy is) are mixing ECC with Dual_EC_DRBG and if you look at the blog-post you see it is 3 months old while in the meantime everybody who is reading IT news knows that Dual_EC_DRBG in OpenSSL is broken, would let crash the application, never will be fixed and is not used in any piece of software to be honest: somebody saying "i do not trust this and that" does not interest me as long there is nothing he can show to prove his feelings - i am IT specialist and not a priest believing in things
