Re: My response to both the analysis of CIPE by Gutmann, Slashdot and the response by the CIPE list

[Damion Wilson <dwilson,AT,ibl,DOT,bm>]

I don't have a problem with a cryptanalyst providing an appraisal of our 
project, in fact I welcome it. However, I do have a problem with that same 
cryptanalyst deciding, in 15 minutes or less, that the design goals of a 
project constitute "serious flaws" in implementation. Furthermore, I think 
that just because someone of Peter Gutmann's reputation and stature stands up 
and provides a list of "fixes" for a project doesn't mean that everything on 
said list is necessary, important, or even correct.

This situation for us is not unlike the Hallowe'en documents re: Linux some 
years back. They did provide some insight into how Linux and Samba could be 
improved, but they were hardly an itemised todo list.

Should we abandon the project just because he said we should ? That was the 
tone which emanated from his original posting, not one of improvement.

I understand that you are not a cryptanalysis expert nor a VPN developer, but 
you still appear to accept Peter Gutmann's analysis as definitive. By 
imploring us to "get this fixed" based solely on his appraisal is insulting, 
not helpful.

DKW

On Thursday 25 September 2003 10:09 am, Jake Appelbaum wrote:
> Please allow me to introduce myself.
>
> I am neither a CIPE developer nor a cryptanalysis expert.
>
> I am however a security consultant who deals primarily in Free/Open
> Source Software. I have used CIPE in the past as well as other
> Free/Open/Non-Free products for use in a VPN solutions.
>
> I wanted to contribute an outsiders perspective.
>
...