[cryptography] Key escrow 2012

ianG iang at iang.org
Fri Mar 30 21:42:34 EDT 2012

On 31/03/12 03:00 AM, Jeffrey I. Schiller wrote:
> Hash: SHA1
>> Nope. If we had won, crypto would be in widespread use today for
>> email. As it is, enough FUD and confusion was sown to avert that
>> outcome. Even on geek mailing lists such as this, signatures are
>> rare.
> Sorry, I beg to differ. The average folks in the world today never
> heard of the crypto war and certainly were not influenced by it.

A bit like saying that the average iPhone user never heard of GSM and 
was certainly not influenced in it :)

> Just
> about every mail client (accept the one I happen to be using :-) ) has
> some form of crypto (usually S/MIME) built in. Yet it isn't being
> used.
> I have heard a lot of speculation as to why crypto isn't being used by
> Joe Average, ranging from its too hard, lack of understanding of key
> management (aka Certificates) [its too hard], and just lack of
> caring. See http://www.simson.net/ref/2004/chi2005_smime_submitted.pdf
> But the crypto wars just isn't a factor.

It's probably more about correlation and hidden causalities.

One of the weapons of the anti-crypto side was over-complexity, desire 
for single points of failure, serialisation of steps.  Things like 
S/MIME exhibit all of those properties, indeed it was so loaded up with 
bad engineering, it failed to get off the ground even when geeks try and 
run it.

But against the opponents of crypto, it still fulfills a purpose.  Its 
benefit is to block any further action in this direction.  There are 
enough people who believe in S/MIME, and these people control enough of 
the vendors such that there is no counter-momentum to replace it with 
something that works [0].

The crypto wars were about opening up that battlefield so that open 
source could start to experiment with lots and lots of alternatives. 
The reason we lost the war was because we thought we'd won it.  We were 
tricked.  What actually happened was a high profile weapon - the export 
control - was loosened up enough just enough to make many think we'd 
won.  All the low-profile weapons were left in place.

There is a Foreign Affairs article that describes the same or similar 
techniques carried out against South Africa.  (I think Ross Anderson dug 
this out at some stage and posted about it ... it's probably worth 
finding it and re-reading it.)

> There is still time to figure out how to get people to use crypto, all
> is not yet lost!

Yeah.  New applications is the opportunity.  We saw this in Skype, when 
a new field was not subject to the old domination.  We didn't so much 
see it with social networks, but there is something of it in there.


[0] fixing s/mime to work is pretty easy - just have the app create & 
share self-signed certs when the account is added/created.  Add in some 
detail, and let it rip.  The point is, you will never ever get the past 
the vendors.

More information about the cryptography mailing list