In article <ac85fa9f010210046fb1@DialupEudora>, norm@netcom.com (Norman Hardy) writes:
At 3:46 PM 9/19/95, Jim Ray wrote: ....
I don't expect to know NSA's specific brute-force capability, but does anyone know if the NSA has *ever* found a glaring weakness in software and then told its author(s) or owner(s) about it? Do "we" perform the "COMSEC" role Tim was speaking of better than the NSA? JMR .... Once upon a time NSA would find weeknesses in friends' crypto systems and tell them about it -- depending, of course, on the situation. It was a reciprocal practice. We don't know that NSA didn't tell Netscape.
As far as I know the NSA did not tell Netscape anything about this RNG vulnerability. If they had we would have fixed it immediately and put up a patch. Believe it or not we don't like being trashed for being stupid all over the net, print media, and TV. As far as I know the NSA have not given us any advice about how to make our system stronger. I've heard rumors that they were quite upset when they learned that SSLs 40-bit RC4 was actually 40-bit secret and 88-bit salt. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.