Decius wrote:
] ] The Handbook was reprinted (5th printing) in August 2001.
] ] The publisher made all the various minor changes and
] ] updates we submitted.
]
] While this reference is a bit more academic then Schneier's
] book, it is quite useful, and now its available for free
] online. Enjoy!

Nice ... we had access to it online while I was taking such a class in the spring.

I have to say that knowing what I know now, Schneier's
has some shortcomings. e.g. Schneier doesn't give any
analytic framework whatsoever to reason about the security of various constructions from crypto primitives.

What's worse, though probably far from Schneier's intent, it has the effect of giving a lot of folks just enough knowledge to be dangerous. They read AC and then feel empowered to go roll their own crypto for some project instead of using off-the-shelf standards (PGP, X.509, even RSA PKCS, etc). And they get it wrong every time.

bucy wrote:
] They read AC and then feel empowered to go
] roll their own crypto for some project instead of using
] off-the-shelf standards (PGP, X.509, even RSA PKCS, etc). And
] they get it wrong every time.

I think there is a market for a book on applied applied applied cryptography that talks about how to make effective use of time tested libraries, both open and closed, to implement reliable real world systems.

But I think a lot of people don't even understand the basics of Schneier. They don't get why their hash needs a timestamp, even though its clearly explained. Security is just like Databases or UI, in that you can't just up and do it and expect to get it right. Unfortunately, unlike the other two, security fails silently.