[cryptography] What project would you finance? [WAS: Potential funding for crypto-related projects]

Ben Laurie ben at links.org
Tue Jul 2 06:48:02 EDT 2013

On 2 July 2013 11:25, Adam Back <adam at cypherspace.org> wrote:
> I think it time to deprecate non-https (and non-forward secret
> ciphersuites.)  Compute power has moved on, session cacheing works,
> symmetric crypto is cheap.
> Btw did anyone get a handle on session resumption - does it provide forward
> secrecy (via k' = H(k)?).  Otherwise I saw concerns a disk stored, or long
> lived session resumption may itself start to become an exposure risk
> somewhat analogous to non-forward secret SSL.

Resumed sessions do not give forward secrecy. Sessions should be
expired regularly, therefore.

> Adam
> On Tue, Jul 02, 2013 at 12:50:32PM +0300, ianG wrote:
>> BTNS (better than nothing security) for IPSec could save it.
>> There is precedent:  the ideas behind SSH totally swept out secure-telnet
>> within a year or so.  Skype demolished other VoIP providers, because its
>> keys were hidden.  The same thing happened with that email transport
>> security system.
>> In contrast, IPSec is a complete and utter deployment failure, and it
>> shares statistically unmeasurable rates of protection across the net. It's
>> near cousin, secure browsing at least achieved penetration rates of around
>> 1% if one counts the HTTPS v. HTTP ratio (what else matters?). Both suffered
>> in large part because they insisted on the classical certificates / PKI
>> schoolbook.
>> So, if one is looking for a saviour, there is pretty good correlation
>> here.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

More information about the cryptography mailing list