Date: Fri, 10 Dec 2004 15:31:22 -0700 (MST) From: "Ryan Sommers" <ryans@gamersimpact.com> To: "Mark Murray" <markm@FreeBSD.ORG> Cc: freebsd-arch@freebsd.org Subject: Re: Adding standalone RSA code Message-ID: <49534.208.4.77.66.1102717882.squirrel@208.4.77.66> In-Reply-To: <200412101755.iBAHt55A090986@grovel.grondar.org> References: Your message of "Fri, 10 Dec 2004 08:57:42 PST." <41B9D586.5070403@wadham.ox.ac.uk> <200412101755.iBAHt55A090986@grovel.grondar.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Murray said: > Colin Percival writes: >> > Is size really a concern? >> >> No. The size is a side-effect of having a minimal, highly secure, >> library, and was not a design consideration. > > "New" very often means "Insecure". I'd rather see something with lots > of eyes over it, and OpenSSL has the advantage of having quite a few > competent crypto guys grovel through it. > > I'm still inclined to say "Please stick with OpenSSL; it is the devil > we know." I have to say I'm with Mark and das@ (I believe it was). As good as smaller and more efficeint sounds, when it comes to crypto libraries I'd rather stick with OpenSSL. It's definately a lot more source code, however, as stated above, it has quite a few more eyes on it as well. With more people working on OpenSSL and auditing it I feel more comfortable with a large developer-base familiar with the same code should an issue crop up. What happens if during a lapse of ENOTIME for you a bug comes up with the library and exposes a severe security flaw for an application making use of it? -- Ryan Sommers ryans@gamersimpact.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49534.208.4.77.66.1102717882.squirrel>