[cryptography] motivation, research ethics & organizational criminality (Re: Forward Secrecy Extensions for OpenPGP: Is this still a good proposal?)

ianG iang at iang.org
Sun Sep 15 06:52:47 EDT 2013


leaving aside the more wide-eyed comments in this thread...


On 15/09/13 03:05 AM, coderman wrote:

> apply defense in depth, and pair cleared individual work product with
> a scrutinizer not so encumbered.  call it peer review across trust
> boundaries. it is mandatory!


Indeed.  Your conclusion might be as above -- all conflicted 
contributors must be paired with a non-conflicted contributor.

However, I would caution that (my) experience shows that you also need a 
process to ask the implicit questions that allow the conclusion to be 
reached.  This is not as easy as it sounds, but it is doable.



> unfortunately the budgets, skill, and other resources available
> outside of five eyes and their industry partners are significantly
> smaller...


Right.  We likely cannot stop the focussed, resourced-up direct attack.

But, there are things that can be done to deal with the PRISM attack. 
As an aside, the system that CAcert uses bears study, we did a good job, 
and we dealt with the PRISM attack (so says I).  At least, I suggest 
that it can be done, something can be done, and there is hope that a 
reasonable solution can be found -- for the ultimate benefit of all.



iang


ps; I'm writing up the CAcert experiences, amongst 100 other tasks, 
therefore slow work.


More information about the cryptography mailing list