On 1/23/12 12:52 PM, Hubert Kario wrote: >>> And there's a very good reson why you shouldn't be a fan of such >>> comparisions: Unlike physical security, properly implemented >>> cryptography is unbreakable at this time. > > I didn't claim that any crypto is properly implemented.
This is not what I read from your first statement. > I did claim it is far easier to find unbreakable crypto than it is to > create unbreakable physical security. If TLAs are involved, then > still the first is only questionable while the second is simply > imposible. This claim is false. There is no such thing as unbreakable crypto: it does not exist anywhere. If perfect physical security is impossible and perfect implementations are impossible, then they're both equally unrealistic and there's not a lick of difference between them. > Also, your example is flawed: any security scheme can be only as good > as the key. The example was not flawed. What you're seeing as a flaw is the point I was making, which is that there is no such thing as "properly implemented cryptography." As an example, GnuPG is certainly competently implemented cryptography, but nobody knows whether it is implemented correctly. Some years ago there was a critical bug with Elgamal signing keys (which is why we can no longer generate Elgamal signing keys: the feature was removed). No one considers this bug to be a reflection on the professionalism of the GnuPG developers: the bug was subtle, survived code review by many people, and could have arisen in any software development process. But the fact remains that Elgamal signatures in GnuPG were not implemented properly and the entire security of GnuPG-generated Elgamal signatures was in jeopardy as a result. If you believe GnuPG is "properly implemented," well, all right: but did you also believe that before the Elgamal bug? If you did, then apparently the mechanism by which you come to these conclusions is defective, and perhaps a little skepticism is warranted. The phrase "properly implemented cryptosystem" should never be used except in a context of skepticism that such a beast has ever existed, or could ever exist. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
