1997-12-29 - Re: [NTSEC] SKIPJACK / NT4.0 (SP3?) (fwd)

Header Data

From: “William H. Geiger III” <whgiii@invweb.net>
To: David Honig <honig@otc.net>
Message Hash: 245051f37b8cb10711f204ce82ec656ed829d3d0f7b90aaee7e680d3cb84b475
Message ID: <199712291829.NAA21443@users.invweb.net>
Reply To: <3.0.5.32.19971229094401.007a7570@otc.net>
UTC Datetime: 1997-12-29 18:33:49 UTC
Raw Date: Tue, 30 Dec 1997 02:33:49 +0800

Raw message

From: "William H. Geiger III" <whgiii@invweb.net>
Date: Tue, 30 Dec 1997 02:33:49 +0800
To: David Honig <honig@otc.net>
Subject: Re: [NTSEC] SKIPJACK / NT4.0 (SP3?) (fwd)
In-Reply-To: <3.0.5.32.19971229094401.007a7570@otc.net>
Message-ID: <199712291829.NAA21443@users.invweb.net>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----

In <3.0.5.32.19971229094401.007a7570@otc.net>, on 12/29/97 
   at 12:44 PM, David Honig <honig@otc.net> said:

>At 11:12 AM 12/26/97 -0600, William H. Geiger III wrote:
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>In <Pine.SUN.3.96.971226114446.17857A-101000@beast.brainlink.com>, on
>>12/26/97 
>>   at 11:45 AM, Ray Arachelian <sunder@brainlink.com> said:
>>
>>>Now this is interesting! :)  (Either that or JA is smoking crack... - no
>>>idea on JA's reputation capital though...)
>>
>>Well to be honest anyone who would trust the M$ crypto API get what they
>>deserve.
>>
>>

>Is this just random MS-baiting or do you have a real point re the API?

>The API describes an interface to things you'd need for a cryptosystem. I
>believe it is up to implementors to instantiate the functions
>appropriately.


1. The sorce code for the crypto API is not available for peer review. I
would not recomend using any crypto API where I was unable to review if it
performend as advertised.

2. If one does not have the ability of peer-review then one must rely on
trust. Through past actions MS has shown to be an untrustworthy company
(IMHO trust is not a sufficient replacement for peer review).

3. The MS crypto API can not be modified nor replaced. Export version of
the MS API contain only export apporved algrothms of export approved
strength.

I think the 3 reasons above should be sufficient reason not to use the
API.

This is not soly an attack against M$. The same argument can be used
against SUN, IBM, RSADSI, Lotus, ...ect.

I wouldn't trust any of them to tell me that water was wet let alone tell
me that their crypto API's were secure. No Code = No Trust!!

- -- 
- ---------------------------------------------------------------
William H. Geiger III  http://users.invweb.net/~whgiii
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html                        
- ---------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a-sha1
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000

iQCVAwUBNKfqxI9Co1n+aLhhAQFf9gP/e3gdjHaiRPcZeeSHJj/zaOF2On3EncPR
kfvuVL83zoa2MzBeMaQAskkXn+j4B7mDPBKhbn6tbK5da7JXgvZxEFPTc3WIaxMk
Y9KIZLHmzSbQZGQn/pKD+63Naw6apZMaNLM8i2cEhuGbavURXLl5lSnnVsSgIVCk
RD5FIhr9vQU=
=TwPk
-----END PGP SIGNATURE-----






Thread