Comment by bananapub

3 years ago

how could NIST possibly be "one of our most sacrosanct institutions" after the NSA already fucked them with Dual_EC_DRBG?

whoever wants to recommend standards at any point since 2015 needs to be someone else

https://en.wikipedia.org/wiki/NIST_SP_800-90A for this who have forgotten.

13 comments

bananapub

josh2600 3 years ago

Look, my point is that there are lots of companies around the world who can’t afford highly skilled mathematicians and cryptographers on staff. These institutions rely on NIST to help them determine what encryption systems may make sense. If NIST is truly adversarial, the public has a right to know and determine how to engage going forward.

tptacek 3 years ago
They don't have to (and shouldn't) retain highly skilled mathematicians. Nobody is suggesting that everyone design their own ciphers, authenticated key exchanges, signature schemes, and secure transports. Peer review is good; vital; an absolute requirement. Committee-based selection processes are what's problematic.
- nequo 3 years ago
  
  Where does the non-cryptographer public find out about the current consensus of the literature? Genuine question.
  
  1 reply →
- josh2600 3 years ago
  
  I'm just saying, you're speaking as an expert in the field. Let's say you don't want to do design any of that stuff but you need some parts of those systems for the thing you're building. How do you decide what you can or can't trust without having deep knowledge of the subject matter?
  Maybe that's it, maybe you can't?
  
  8 replies →