Jake Appelbaum <jacob,AT,appelbaum,DOT,net>|
Re: My response to both the analysis of CIPE by Gutmann, Slashdot and the response by the CIPE list|
Damion Wilson <dwilson,AT,ibl,DOT,bm>|
Thu, 25 Sep 2003 10:57:36 -0300|
I don't have a problem with a cryptanalyst providing an appraisal of our
project, in fact I welcome it. However, I do have a problem with that same
cryptanalyst deciding, in 15 minutes or less, that the design goals of a
project constitute "serious flaws" in implementation. Furthermore, I think
that just because someone of Peter Gutmann's reputation and stature stands up
and provides a list of "fixes" for a project doesn't mean that everything on
said list is necessary, important, or even correct.
This situation for us is not unlike the Hallowe'en documents re: Linux some
years back. They did provide some insight into how Linux and Samba could be
improved, but they were hardly an itemised todo list.
Should we abandon the project just because he said we should ? That was the
tone which emanated from his original posting, not one of improvement.
I understand that you are not a cryptanalysis expert nor a VPN developer, but
you still appear to accept Peter Gutmann's analysis as definitive. By
imploring us to "get this fixed" based solely on his appraisal is insulting,
On Thursday 25 September 2003 10:09 am, Jake Appelbaum wrote:
> Please allow me to introduce myself.
> I am neither a CIPE developer nor a cryptanalysis expert.
> I am however a security consultant who deals primarily in Free/Open
> Source Software. I have used CIPE in the past as well as other
> Free/Open/Non-Free products for use in a VPN solutions.
> I wanted to contribute an outsiders perspective.