[CentOS] Can we trust RedHAt encryption tools?

Mon Jan 6 19:38:42 UTC 2014
James B. Byrne <byrnejb at harte-lyne.ca>

> RHEL nowdays supports already Elliptic Curve on openssl.

Which complete misses the point.

First, the initial settings of the EC are significant in determining the
strength of the resulting cipher.  There is considerable evidence that
suggests that some of these default settings have been proposed by or adopted
on behalf of interests that would benefit from having an easily compromised
encryption technique.  While the algorithm may be strong a carefully crafted
initial setting might be all it takes to render it vulnerable.

Second, the delay in providing ECC in itself taken together with the abrupt
and unexplained resolution to this matter subsequent to Snowden's revelations
respecting the complicity of commercial entities in furthering illicit
surveillance raises my suspicion that there is more to this than meets the
eye.

We are talking about a matter of trust and I am afraid to say that my
suspicions of the motives of large commercial enterprises in matters of trust
looms large in my thinking.  If it turns out to be the case that RH withheld
ECC from its users because of the pressure of some external interest we cannot
be certain that this was the only item that was affected.

I am really at a loss as to how to proceed.  Do I move off CentOS entirely? 
Where to?  What other distribution of similar stature exists that is itself
not subject to exactly the same forces that may have been brought to bear on
RedHat.


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3