[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [NTSEC] SKIPJACK / NT4.0 (SP3?) (fwd)




-----BEGIN PGP SIGNED MESSAGE-----

In <[email protected]>, on 12/29/97 
   at 12:44 PM, David Honig <[email protected]> said:

>At 11:12 AM 12/26/97 -0600, William H. Geiger III wrote:
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>In <[email protected]>, on
>>12/26/97 
>>   at 11:45 AM, Ray Arachelian <[email protected]> said:
>>
>>>Now this is interesting! :)  (Either that or JA is smoking crack... - no
>>>idea on JA's reputation capital though...)
>>
>>Well to be honest anyone who would trust the M$ crypto API get what they
>>deserve.
>>
>>

>Is this just random MS-baiting or do you have a real point re the API?

>The API describes an interface to things you'd need for a cryptosystem. I
>believe it is up to implementors to instantiate the functions
>appropriately.


1. The sorce code for the crypto API is not available for peer review. I
would not recomend using any crypto API where I was unable to review if it
performend as advertised.

2. If one does not have the ability of peer-review then one must rely on
trust. Through past actions MS has shown to be an untrustworthy company
(IMHO trust is not a sufficient replacement for peer review).

3. The MS crypto API can not be modified nor replaced. Export version of
the MS API contain only export apporved algrothms of export approved
strength.

I think the 3 reasons above should be sufficient reason not to use the
API.

This is not soly an attack against M$. The same argument can be used
against SUN, IBM, RSADSI, Lotus, ...ect.

I wouldn't trust any of them to tell me that water was wet let alone tell
me that their crypto API's were secure. No Code = No Trust!!

- -- 
- ---------------------------------------------------------------
William H. Geiger III  http://users.invweb.net/~whgiii
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html                        
- ---------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a-sha1
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000

iQCVAwUBNKfqxI9Co1n+aLhhAQFf9gP/e3gdjHaiRPcZeeSHJj/zaOF2On3EncPR
kfvuVL83zoa2MzBeMaQAskkXn+j4B7mDPBKhbn6tbK5da7JXgvZxEFPTc3WIaxMk
Y9KIZLHmzSbQZGQn/pKD+63Naw6apZMaNLM8i2cEhuGbavURXLl5lSnnVsSgIVCk
RD5FIhr9vQU=
=TwPk
-----END PGP SIGNATURE-----