You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
So, I think we may have weakened this too much. As it stands, "encouraged" does not get across that reports are that the NSA used a contract and paid RSA to make this change. Encouragement could have been in much weaker forms. I understand that the amount of the contract (the dollar figure) may be sensative, but I think the issue is important enough to be called out. (It's certainly front and center in something like this: http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220) I suggest we do say that a contract and pay are alleged, but do not include the dollar amount. Something like this:
There is also some suspicion that NSA modifications to the DUAL_EC_DRBG random number generator were made to ensure that keys generated using that generator could be predicted by NSA. This RNG was made part of NIST's SP 800-90A, for which NIST acknowledges NSA's assistance. There have also been reports that the NSA paid RSA Security for a related contract with the result that the curve became the default in the RSA BSAFE product line.
A citation to the allegation would make sense as well (The reuters article linked above being one possibility).
Ted
The text was updated successfully, but these errors were encountered:
So, I think we may have weakened this too much. As it stands, "encouraged" does not get across that reports are that the NSA used a contract and paid RSA to make this change. Encouragement could have been in much weaker forms. I understand that the amount of the contract (the dollar figure) may be sensative, but I think the issue is important enough to be called out. (It's certainly front and center in something like this: http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220) I suggest we do say that a contract and pay are alleged, but do not include the dollar amount. Something like this:
There is also some suspicion that NSA modifications to the DUAL_EC_DRBG random number generator were made to ensure that keys generated using that generator could be predicted by NSA. This RNG was made part of NIST's SP 800-90A, for which NIST acknowledges NSA's assistance. There have also been reports that the NSA paid RSA Security for a related contract with the result that the curve became the default in the RSA BSAFE product line.
A citation to the allegation would make sense as well (The reuters article linked above being one possibility).
Ted
The text was updated successfully, but these errors were encountered: