managing and protecting nyms...

[John Young]

Peer review is necessary to assure blunders are not overlooked.
However, there has been no demonstration that peer review is all
that is needed for the superior protection. This is not an argument
for obscurity, only a caution that peer review is not necessary
sufficient. Peers miss stuff too, as amply demonstrated by holes
and bad implementation later discovered.

Betting you life on peer review, or open disclosure is probably
not very smart. Instead, expect some shrewd peer(s) to see
something that will serve a private purpose by keeping quiet.
Competiton, betrayal, disinfo, venality, play a role as well
as search for truth through open discourse.

Comsec is a swamp, quicksand, punji trap, and comsec
experts are never trustworthy about each other or about
systems.

The open source methodology, call it snakeoil, works well
for the inexpert to gain a limited education, but behind that stage
the usual shit goes on.

Keeping quiet about crypto cracks, holes, trojans, backdoors,
is extremely rewarding. Concealing deep faults with shallow
ones is SOP.

Note that wide crypto use has become a stimulus to intercept,
store forever (NSA policy), crack when possible and to continue
trying to crack indefinitely (NSA policy), with successful deep
cracks seldom revealed. "NSA policy" is that of deeply embedded
contractors and researchers as well.

Publicly-availalbe encryption and other currently usable comsec
protection are satisfactory for ordinary communications but not
for more than that if you are up to extraordinary renditions, say,
making a bundle peddling natsec-grade counter-threat
assurances. Yep, natsec-grade is what the telecoms and like
critical infrastructure dealers claim they are providing. Nothing
pays better.