[cryptography] motivation, research ethics & organizational criminality (Re: Forward Secrecy Extensions for OpenPGP: Is this still a good proposal?)
iang at iang.org
Sun Sep 15 06:52:47 EDT 2013
leaving aside the more wide-eyed comments in this thread...
On 15/09/13 03:05 AM, coderman wrote:
> apply defense in depth, and pair cleared individual work product with
> a scrutinizer not so encumbered. call it peer review across trust
> boundaries. it is mandatory!
Indeed. Your conclusion might be as above -- all conflicted
contributors must be paired with a non-conflicted contributor.
However, I would caution that (my) experience shows that you also need a
process to ask the implicit questions that allow the conclusion to be
reached. This is not as easy as it sounds, but it is doable.
> unfortunately the budgets, skill, and other resources available
> outside of five eyes and their industry partners are significantly
Right. We likely cannot stop the focussed, resourced-up direct attack.
But, there are things that can be done to deal with the PRISM attack.
As an aside, the system that CAcert uses bears study, we did a good job,
and we dealt with the PRISM attack (so says I). At least, I suggest
that it can be done, something can be done, and there is hope that a
reasonable solution can be found -- for the ultimate benefit of all.
ps; I'm writing up the CAcert experiences, amongst 100 other tasks,
therefore slow work.
More information about the cryptography