[cryptography] What project would you finance? [WAS: Potential funding for crypto-related projects]

Adam Back adam at cypherspace.org
Tue Jul 2 06:25:50 EDT 2013


I think it time to deprecate non-https (and non-forward secret
ciphersuites.)  Compute power has moved on, session cacheing works,
symmetric crypto is cheap.

Btw did anyone get a handle on session resumption - does it provide forward
secrecy (via k' = H(k)?).  Otherwise I saw concerns a disk stored, or long
lived session resumption may itself start to become an exposure risk
somewhat analogous to non-forward secret SSL.

Adam

On Tue, Jul 02, 2013 at 12:50:32PM +0300, ianG wrote:
>BTNS (better than nothing security) for IPSec could save it.
>
>There is precedent:  the ideas behind SSH totally swept out 
>secure-telnet within a year or so.  Skype demolished other VoIP 
>providers, because its keys were hidden.  The same thing happened 
>with that email transport security system.
>
>In contrast, IPSec is a complete and utter deployment failure, and it 
>shares statistically unmeasurable rates of protection across the net. 
>It's near cousin, secure browsing at least achieved penetration rates 
>of around 1% if one counts the HTTPS v. HTTP ratio (what else 
>matters?). Both suffered in large part because they insisted on the 
>classical certificates / PKI schoolbook.
>
>So, if one is looking for a saviour, there is pretty good correlation here.


More information about the cryptography mailing list