Re: VSACM V2.0 Source Code Request (fwd)
Jim Choate <ravage@EINSTEIN.ssz.com> writes:
Forwarded message:
Subject: VSACM V2.0 Source Code Request Date: Fri, 14 Mar 1997 23:31:49 -0600 (CST)
I would appreciate receiving a copy of the source code for your encryption software, for the purpose of peer review.
These sorts of requests are setting a bad precedence. All that should be needed for peer review is the algorithmic expression of the software, not its source code. The only issue that public review should consist of is the strength of the algorithm. Questions relating to specific implimentation questions should be done between vendor and client in private (caveat emptor!). What those questions should be should be open to public review as well. Class, not instance.
Public review should be concerned with the characteristics of specific algorithms and not the honesty of the particular implementor.
I disagree. Remember when a widely available C implementation of the Blowfish algorithm was found to have a bug that significantly weakened its security? The bug was in the C implementation, not the algorithm itself. By the way, I requested the source code from Mr.Ramos within minutes after he made the offer on this mailing list and haven't heard back from him yet. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
Dr.Dimitri Vulis KOTM wrote:
Jim Choate <ravage@EINSTEIN.ssz.com> writes:
Forwarded message:
Subject: VSACM V2.0 Source Code Request Date: Fri, 14 Mar 1997 23:31:49 -0600 (CST)
I would appreciate receiving a copy of the source code for your encryption software, for the purpose of peer review.
These sorts of requests are setting a bad precedence. All that should be needed for peer review is the algorithmic expression of the software, not its source code. The only issue that public review should consist of is the strength of the algorithm. Questions relating to specific implimentation questions should be done between vendor and client in private (caveat emptor!). What those questions should be should be open to public review as well. Class, not instance.
Public review should be concerned with the characteristics of specific algorithms and not the honesty of the particular implementor.
I disagree. Remember when a widely available C implementation of the Blowfish algorithm was found to have a bug that significantly weakened its security? The bug was in the C implementation, not the algorithm itself.
By the way, I requested the source code from Mr.Ramos within minutes after he made the offer on this mailing list and haven't heard back from him yet.
I also requested a copy and as of Sat Mar 15 11:33:17 CST 1997 have not heard anything from Mr. Ramos yet. I hope to receive it very soon, as Mr. Ramos promised. - Igor.
participants (2)
-
dlv@bwalk.dm.com -
ichudov@algebra.com