[cryptography] Bonding or Insuring of CAs?
iang at iang.org
Sat Jan 26 04:24:52 EST 2013
Top-posting and +1ing on a few responses. Two points, on pedagogy, and
Pedagogy. In cryptography, we teach people to analyse existing
algorithms and systems, before attempting to build their own. This
really takes a long time, years or a decade. We don't expect junior
cryptographers to succeed in bettering the algorithms of their forebears
for a decade, nor do we expect junior programmers to develop great
architectures until they've hacked their way through a half-dozen bad ones.
SSL/PKI stands as the most popular cryptographic system on the Internet.
It was conceived more or less for and by Internet people, with
Internet needs in mind. It has been universally adopted by the biggest
application on the net - the web.
It therefore stands as the greatest example of a system - for good or
bad. It has to be studied, and everyone in the field has to be familiar
with its good points or bad points, as boring as that gets for those who
have already researched it to death. Just like AES or DES before it.
(That's all OP is doing, investigating current events as to why SSL, our
greatest example, is failing against modern threats.)
We older folk have to pass on to a new generation, so we have to be
patient and allow the new folk to roam the turf.
Grounding. Cryptography, pure, without application in mind, is just an
academic pursuit, like mathematics or astronomy or nuclear physics.
Beautiful, elegant, challenging but mostly esoteric.
Only cryptography with a grounding in the real world is an applied
science. Tying cryptography to a real need is not only necessary, it is
what separates us from (eg) the quantum people, who can be criticised as
academically and financially fraudulent.
Fraud is 3 things: (1) a deceptive statement, (2) an intent to benefit
financially, and (3) actual damages. All three are variously present in
the field of quantum encryption: (1) academics and others prepare
papers and grant requests saying that quantum cryptography is important
to solve important problems we can't otherwise solve. Which is a
deception, anyone with any knowledge of cryptography knows we can do
secure comms without it. (2) they do it to get their grant money, and
(3) they get their grant money, so someone else doesn't.
As an example -- the point being that grounding in real world needs is
essential for people to contribute to society, and SSL shows weaknesses
in that area. So if you want to be useful, you are forced to look at
wider things than the pure, mathematical aspects of cryptography.
PS: I personally think top-posting is fine if the response is not
point-wise aligned, but is instead general. Also, the whole world uses
top-posting, it is only the older folk from the pre-web age who
understand the higher precision in interleaved responses. That is, us
older folk should relax a little, else wise we'll just be unhappy
without end :)
More information about the cryptography