Subject: Re: FUD about CGD and GBDE
To: Frank Mayhar <>
From: Todd Vierling <>
List: tech-security
Date: 03/04/2005 12:34:06
On Fri, 4 Mar 2005, Frank Mayhar wrote:

> You go off and use CGD or some other package, perhaps of your own design.
> The rest of us will get along without you somehow.

And several folks have been trying to warn you (et al.) that snake oil is
still snake oil, no matter how it's sold.  PHK is putting GBDE's users AT
RISK by claiming it is "secure", when that claim has not been well analyzed.
If PHK wants experimental new crypto chaining methods, he can feel free to
do that, but he cannot claim that his methods are known to be "secure" until
they have been examined by people who do know what they're talking about.

GBDE should offer industry standard, well-vetted crypto schemes as the
typical default.  Only after well-vetted schemes are provided, could it
provide *additional* experimental crypto, and certainly not under an
unverified "secure" banner.

Trust is paramount in the crypto world.  A crypto scheme has zero trust by
default, even if built on known algorithmic building blocks.  Only after it
has been well vetted by crypto-knowledgeable folks should it be given even
the slightest hint of trust.

-- Todd Vierling <> <>