[cryptography] Bonding or Insuring of CAs?

ianG iang at iang.org
Sat Jan 26 04:24:52 EST 2013

Top-posting and +1ing on a few responses.  Two points, on pedagogy, and 

Pedagogy.  In cryptography, we teach people to analyse existing 
algorithms and systems, before attempting to build their own.  This 
really takes a long time, years or a decade.  We don't expect junior 
cryptographers to succeed in bettering the algorithms of their forebears 
for a decade, nor do we expect junior programmers to develop great 
architectures until they've hacked their way through a half-dozen bad ones.

SSL/PKI stands as the most popular cryptographic system on the Internet. 
  It was conceived more or less for and by Internet people, with 
Internet needs in mind.  It has been universally adopted by the biggest 
application on the net - the web.

It therefore stands as the greatest example of a system - for good or 
bad.  It has to be studied, and everyone in the field has to be familiar 
with its good points or bad points, as boring as that gets for those who 
have already researched it to death.  Just like AES or DES before it. 
(That's all OP is doing, investigating current events as to why SSL, our 
greatest example, is failing against modern threats.)

We older folk have to pass on to a new generation, so we have to be 
patient and allow the new folk to roam the turf.

Grounding.  Cryptography, pure, without application in mind, is just an 
academic pursuit, like mathematics or astronomy or nuclear physics. 
Beautiful, elegant, challenging but mostly esoteric.

Only cryptography with a grounding in the real world is an applied 
science.  Tying cryptography to a real need is not only necessary, it is 
what separates us from (eg) the quantum people, who can be criticised as 
academically and financially fraudulent.

Fraud is 3 things:  (1) a deceptive statement, (2) an intent to benefit 
financially, and (3) actual damages.  All three are variously present in 
the field of quantum encryption:  (1) academics and others prepare 
papers and grant requests saying that quantum cryptography is important 
to solve important problems we can't otherwise solve.  Which is a 
deception, anyone with any knowledge of cryptography knows we can do 
secure comms without it.  (2) they do it to get their grant money, and 
(3) they get their grant money, so someone else doesn't.

As an example -- the point being that grounding in real world needs is 
essential for people to contribute to society, and SSL shows weaknesses 
in that area.  So if you want to be useful, you are forced to look at 
wider things than the pure, mathematical aspects of cryptography.


PS: I personally think top-posting is fine if the response is not 
point-wise aligned, but is instead general.  Also, the whole world uses 
top-posting, it is only the older folk from the pre-web age who 
understand the higher precision in interleaved responses.  That is, us 
older folk should relax a little, else wise we'll just be unhappy 
without end :)

More information about the cryptography mailing list