lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Feb 2015 04:21:14 +0300
From: Solar Designer <>
Subject: Re: [PHC] PHC status report

On Thu, Feb 12, 2015 at 03:20:34AM +0530, Donghoon Chang wrote:
> But, from submitter's point of view, each submitter may expect to receive
> sound report with plentiful paragraphs, since each submitter spent
> plentiful amount of time for that. At least, the panel should be able to
> provide the comparison among candidates in terms of security and
> performance,

Ideally, yes.  However, much of this data is still missing, and arguably
"the panel's job was not to provide new analysis" (as Krisztian wrote).
To use the data that we did have would result in a report that would not
be balanced.  (Not to mention the effort involved in compiling it, which
you say is expected by the submitters.)

> not based on additional features such as elegance, etc.

I see no reason not to include these as well, especially when they _do_
affect the selection.

> So, I request that the PHC Panel may prepare the public report, especially,
> at least for non-finalists. How discouraging it is to write three to four
> words only for the comment for designers of non-finalists! I would like to
> expect a comment like this:
> "We could not choose X algorithm with some reason though X algorithm has
> many good features!"

The "Non-finalists" section in the currently published report does start
with acknowledging that "we are aware of many" advantages of
non-finalists and that "some of these non-finalist submissions could
have been selected" without "what we deemed a more suitable submission
in a (loosely defined) category".

What I understand you're asking for is explicitly listing the "many good
features" of each non-finalist (and I guess the "many bad properties"
of each finalist).  Right?  We certainly discussed that approach prior to
releasing the report the way we did, but we found it difficult to follow
in a balanced fashion.  I am still not sure if the frustration of the
submitters (maybe different ones) would be reduced if we went for this
extra effort.


Powered by blists - more mailing lists