comment on

Have any of you good monks any knowledge of an organisation called German Institute for Security in Information Technology?

This name turned up in a web page whilst I was doing some research into what makes Math::Random::MT unsuitable fro cryptographic purposes (that's the Perl link:).

That page cites this very impressive organisation as having produced this very impressive sounding set of criteria for evaluating CSPRNGs.

So, I went looking to see who these guys were, with a view to trying to find out how the came up with those criteria--and that's where things start getting confusing. Google lists exactly two references to this organisation. One is the earlier referenced wikipedia page; the other is a pdf at the springerlink website that it refuses to let me see.

If you expand the "search with omitted results included", you'll find a dozen more references that all appear to be plagiarised from the original wikipedia page.

I also tried searching for "GESIT", and that gets more hits, and the first looks likely but turns out to be something to do with geography, and in any case, the link redirects to a .cx url, which tells you nothing and doesn't inspire confidence.

Now if these 4 criteria are so authoritative, one would expect that the organisation that produced them would have done some other important work in the field of IT security. And as such, you might expect that it would have a web footprint. You might also expect that there might be some documentation of the basis upon which it arrived at these 4 criteria. You might also expect that work to (at least) be referenced from one or more of the established clearing houses for citations and IT-related papers: like ACM, or CiteSeer, or one of the dozen or so others. But nada, zip, ziltch, nary a mench.

The question.

So, does anyone know anything about this organisation? Is it an authoritative government institution? A fly-by-night quango? A private company with an official sounding title? A complete ghost?

In the field of security more than any other I've tried, the internet abounds with "security" companies and organisations doling out reams of sophisticated sounding advice and judgement criteria, but so often when I try to track these to source, they end up being dead ends(*).

The only other thing that comes close is "medical advice". I once tried to track down the basis of the World Health Organisation radiation exposure guidelines, and to the best of my ability to find out, they seem to have been plucked from the air by some committee at some point in the past and have become the defacto-standard ever since.

(*)Note: I'm not saying that is the case with GISIT, just that it seems possible given what I have been able to discover so far.

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

"Too many [] have been sedated by an oppressive environment of political correctness and risk aversion."

In reply to [OT] What is "the German Institute for Security in Information Technology"? by BrowserUk

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or How to display code and escape characters are good places to start.