[Cryptography] RSA is dead.
Patrick Mylund Nielsen
cryptography at patrickmylund.com
Sun Dec 22 18:17:45 EST 2013
On Sun, Dec 22, 2013 at 4:59 PM, Bill Cox <waywardgeek at gmail.com> wrote:
> Nonsense. Most other equally capable developers should be able to
> discover a backdoor with far less effort to hide it. Reading other
> people's code is a skill that some people never acquire, but it's generally
> easier to understand someone else's code entirely than to have created it
> from scratch.
>
http://cm.bell-labs.com/who/ken/trust.html
>
> If the code is so obscure that this is not the case, that code should not
> be used in crypto.
>
But how will we do crypto then? :)
Open source can certainly help, but it's far from a panacea. Even huge
projects like Ruby on Rails, PHP, even Linux, still have huge security
holes (code execution, privilege escalation) that have been there for years
and were *not* obscured. You're assuming that, not only will anyone look at
your code at all, they will have training in cryptography, know to be
looking for something bad, and spend a large amount of time on finding it.
All very big "if's."
I am not suggesting that closed source provides much more than obscurity
and a simpler route to profits, but the act of open sourcing your software
accomplishes nothing if nobody qualified actually reads it (apart from
giving you the PR benefit of being able to say "we're open source.")
History has shown countless times that open sourcing alone doesn't fix bad
code practices; it's not likely to more readily fix malicious ones.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131222/49e0ada4/attachment.html>
More information about the cryptography
mailing list