If Zed Shaw was interested in having people review his weird chat protocols, he'd probably:
* Document them without the "mixture of humor, ranting, code, and specification language." The "specification language", presuming it's not in something Zed invented (like Stackish franken-sexps), would do nicely.
* Use well-understood, well-tested primitives, and where he deviates (ECC might be mainstream, but CCM and Needham-Schroeder public key exchange aren't), explain why.
* Describe things in terms of the cryptosystem and the goals, instead of using the least intelligible, most intimidating acronyms he can come up with (seriously, "ISO/IEC 11770-3 Mechanism 6"?).
You're exactly wrong, of course. Zed's using CCM, and an evaluator would want to know what properties his system expects to achieve from doing so. Talking about CBC (or CBC-MACs) would make him look more savvy. Instead, we get "I’ve decided to send it back as Er(Nr) but I’m not sure of the security of this."
I should be clear; I haven't read Zed's documentation and neither approve nor disapprove what he wrote. My reactions are strictly to the notion that a protocol creator shouldn't mention specifics in a security document -- that's flat out wrong.
Until the snarky bit at the end there, I agreed with you 100%.
Ah, the Internet, where people act tough when they're safe behind their computer screens. You're really cool, getting so riled up about encryption schemes and commenting habits that you're typing swear words at me on a forum.
<shaking my head>
I'll say in advance, don't blame me for the downmods -- I didn't contribute a single one.
* Document them without the "mixture of humor, ranting, code, and specification language." The "specification language", presuming it's not in something Zed invented (like Stackish franken-sexps), would do nicely.
* Use well-understood, well-tested primitives, and where he deviates (ECC might be mainstream, but CCM and Needham-Schroeder public key exchange aren't), explain why.
* Describe things in terms of the cryptosystem and the goals, instead of using the least intelligible, most intimidating acronyms he can come up with (seriously, "ISO/IEC 11770-3 Mechanism 6"?).
You're exactly wrong, of course. Zed's using CCM, and an evaluator would want to know what properties his system expects to achieve from doing so. Talking about CBC (or CBC-MACs) would make him look more savvy. Instead, we get "I’ve decided to send it back as Er(Nr) but I’m not sure of the security of this."