Date: Fri, 10 Dec 2004 15:03:10 -0800 From: Colin Percival <colin.percival@wadham.ox.ac.uk> To: Ryan Sommers <ryans@gamersimpact.com> Cc: freebsd-arch@freebsd.org Subject: Re: Adding standalone RSA code Message-ID: <41BA2B2E.1070304@wadham.ox.ac.uk> In-Reply-To: <49534.208.4.77.66.1102717882.squirrel@208.4.77.66> References: "Your message of Fri, 10 Dec 2004 08:57:42 PST." <41B9D586.5070403@wadham.ox.ac.uk> <200412101755.iBAHt55A090986@grovel.grondar.org> <49534.208.4.77.66.1102717882.squirrel@208.4.77.66>
next in thread | previous in thread | raw e-mail | index | archive | help
Ryan Sommers wrote: > I have to say I'm with Mark and das@ (I believe it was). As good as > smaller and more efficeint sounds, when it comes to crypto libraries I'd ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > rather stick with OpenSSL. You're missing the point. I'm not talking about "smaller and more efficient". I'm talking about "smaller and more secure". > It's definately a lot more source code, > however, as stated above, it has quite a few more eyes on it as well. Openssl has had 8 significant security flaws fixed in the past two years. Yes, they have more eyes looking at their code -- but even if they've found 80% of the security problems in the past two years, that still leaves two major security flaws left. Further, speaking from my experience on secteam, I'm more than a little dubious of the "many eyes" concept anyway (at least when it comes to security issues); the amount of time that security flaws sit in our tree before anyone notices them is rather depressing. > What happens if during a lapse of ENOTIME for you a bug > comes up with the library and exposes a severe security flaw for an > application making use of it? In that case, the 9410 people (at last count) who have used FreeBSD Update in the past couple of years are already in trouble. :-) Colin Percival
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41BA2B2E.1070304>