Jake Appelbaum <jacob,AT,appelbaum,DOT,net>|
Re: My response to both the analysis of CIPE by Gutmann, Slashdot and the response by the CIPE list|
Damion Wilson <dwilson,AT,ibl,DOT,bm>|
Thu, 25 Sep 2003 19:21:11 -0300|
<1064495379.428.21.camel@eris> <firstname.lastname@example.org> <1064499214.472.78.camel@eris>|
I'm certainly not arguing to do nothing. You have misinterpreted my intent.
Peter Gutmann hasn't bothered to understand what CIPE is used for and until
uses the product or bothers to communicate with actual users/developers he
cannot make a complete and accurate appraisal. He just can't. When I use "15
minutes" to describe his posting, it draws attention to the fact that he
hasn't tested any of his assertions. Not even a cursory test attack has been
written. He still doesn't seem to know that we mostly use Blowfish.
I saw Eric Hopper's post earlier and the more crypto-savvy members of the
community are already thinking about how to address some or all of the issues
raised, but none are stupid enough to accept this man's word as gospel
without being able to corroborate.
I personally don't care that much about what Peter Gutmann says, even while
accepting that I am but a mental midget compared to his crypto knowledge, but
I do care about the CIPE users. I'd rather that they had the complete truth
about this rather than Gutmann's "drive by shooting" approach and it's going
to take some time to even determine if the theoretical threats form plausible
If the community does come up with some changes to the protocol, then I will
have to go and implement them. Fair enough. But the seagull management style
just wasn't cool, and insulting a community isn't the way to help it.
I'm not in disagreement here. I'm just arguing for less knee jerking.
On Thursday 25 September 2003 11:13 am, you wrote:
> On Thu, 2003-09-25 at 15:57, Damion Wilson wrote:
> > I don't have a problem with a cryptanalyst providing an appraisal of our
> > project, in fact I welcome it. However, I do have a problem with that
> > same cryptanalyst deciding, in 15 minutes or less, that the design goals
> > of a project constitute "serious flaws" in implementation.
> It's not the amount of time spent on the analysis that matters in this
> case, it's the quality. He has many correct statements. The ones that
> cannot be fixed without scrapping the project should be undertaken and
> then the risks that are inherent after need to be OBVIOUSLY stated.
> > Furthermore, I think
> > that just because someone of Peter Gutmann's reputation and stature
> > stands up and provides a list of "fixes" for a project doesn't mean that
> > everything on said list is necessary, important, or even correct.
> You may this this but I am going to side with Gutmann. He knows crypto.
> I trust him over someone who I know nothing about. Also his ideas and
> statements aren't that far off from what I imagine other cryptographers
> would say, minus the sound-wave comment.
> > This situation for us is not unlike the Hallowe'en documents re: Linux
> > some years back. They did provide some insight into how Linux and Samba
> > could be improved, but they were hardly an itemised todo list.
> Not quite.
> > Should we abandon the project just because he said we should ? That was
> > the tone which emanated from his original posting, not one of
> > improvement.
> So make him eat his words by fixing it, not by making excuses.
> > I understand that you are not a cryptanalysis expert nor a VPN developer,
> > but you still appear to accept Peter Gutmann's analysis as definitive. By
> > imploring us to "get this fixed" based solely on his appraisal is
> > insulting, not helpful.
> I accept facts as something definitive.
> Gutmann pointing those facts out and standing behind them leads me to
> agree with him over: "we don't need a bank vault."
> > DKW
> > On Thursday 25 September 2003 10:09 am, Jake Appelbaum wrote:
> > > Please allow me to introduce myself.
> > >
> > > I am neither a CIPE developer nor a cryptanalysis expert.
> > >
> > > I am however a security consultant who deals primarily in Free/Open
> > > Source Software. I have used CIPE in the past as well as other
> > > Free/Open/Non-Free products for use in a VPN solutions.
> > >
> > > I wanted to contribute an outsiders perspective.
> > ...