Re: Adding standalone RSA code

• Previous message: Mark Murray: "Re: Adding standalone RSA code"
• In reply to: Mark Murray: "Re: Adding standalone RSA code"
• Next in thread: Colin Percival: "Re: Adding standalone RSA code"
• Reply: Colin Percival: "Re: Adding standalone RSA code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Fri, 10 Dec 2004 15:31:22 -0700 (MST)
To: "Mark Murray" <markm@FreeBSD.ORG>

Mark Murray said:
> Colin Percival writes:
>> > Is size really a concern?
>>
>> No. The size is a side-effect of having a minimal, highly secure,
>> library, and was not a design consideration.
>
> "New" very often means "Insecure". I'd rather see something with lots
> of eyes over it, and OpenSSL has the advantage of having quite a few
> competent crypto guys grovel through it.
>
> I'm still inclined to say "Please stick with OpenSSL; it is the devil
> we know."

I have to say I'm with Mark and das@ (I believe it was). As good as
smaller and more efficeint sounds, when it comes to crypto libraries I'd
rather stick with OpenSSL. It's definately a lot more source code,
however, as stated above, it has quite a few more eyes on it as well.

With more people working on OpenSSL and auditing it I feel more
comfortable with a large developer-base familiar with the same code should
an issue crop up. What happens if during a lapse of ENOTIME for you a bug
comes up with the library and exposes a severe security flaw for an
application making use of it?

-- 
Ryan Sommers
ryans@gamersimpact.com
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

• Previous message: Mark Murray: "Re: Adding standalone RSA code"
• In reply to: Mark Murray: "Re: Adding standalone RSA code"
• Next in thread: Colin Percival: "Re: Adding standalone RSA code"
• Reply: Colin Percival: "Re: Adding standalone RSA code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: On Open Source ... > make it possible to revoke either of the certificates ... You could just as easily delete the public key from your other box. ... > up using OpenSSL in a completely insecure way. ... > libraries instead of developing an application specific cryptographic ... (sci.crypt) Re: Apache, mod_ssl and openssl? ... One way to find out is to temporarily hide the shared OpenSSL libraries ... it's using the shared libraries. ... recompile your apache and life should be ... (comp.os.linux.security) Re: On Open Source ... > you could just as easily delete the public key from your other box (e.g. ... If OpenSSL only allowed 1 type ... >> be implemented by cryptographers. ... that isn't a reason to say "stop using open source libraries!". ... (sci.crypt) [CLA-2003:625] Conectiva Security Announcement - openssl ... SUMMARY: OpenSSL library vulnerabilities ... against OpenSSL and derived libraries. ... It is recommended that all users upgrade their openssl packages. ... Detailed instructions reagarding the use of apt and upgrade examples ... (Bugtraq) Re: Adding standalone RSA code ... Mark Murray wrote: ... > Hmm. ... > I must profess to having a degree of discomfort with duplicated ... If OpenSSL grows hardware BigNum support, ... (freebsd-arch)