Re: TrueCrypt 4.0 Out
From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: Sun, 6 Nov 2005 22:30:49 +0000 (UTC)
Kelsey Bjarnason wrote:
>On Fri, 04 Nov 2005 21:49:04 +0000, David Wagner wrote:
>> That's exactly backwards. When choosing an information security
>> system, you should assume it insecure until proven secure. Doing
>> anything else leads to a very high risk of security breaches.
>So what system are you going to use? This leaves out any conventional
>system - RSA, for example - because they're not provably secure.
Probably the word "proof" is too strong. I would look for systems
where there is positive evidence for their security. We might not have
mathematical reason, but we have some reason to believe that RSA is
probably pretty good.
Probably the most important point I wanted to make, though, is that
absence of evidence of insecurity is not the same as evidence of security.