From: Adam Back <aba@dcs.ex.ac.uk>
To: fod@brd.ie
Message Hash: 1c4bf161f1aee9ddcdf6cc6285bb823ce63bec071f052cefbecebd635d40f972
Message ID: <199810081945.UAA14149@server.eternity.org>
Reply To: <361CE49F.C858A2CE@brd.ie>
UTC Datetime: 1998-10-08 20:36:37 UTC
Raw Date: Fri, 9 Oct 1998 04:36:37 +0800
From: Adam Back <aba@dcs.ex.ac.uk>
Date: Fri, 9 Oct 1998 04:36:37 +0800
To: fod@brd.ie
Subject: Re: propose: `cypherpunks license' (Re: Wanted: Twofish source code)
In-Reply-To: <361CE49F.C858A2CE@brd.ie>
Message-ID: <199810081945.UAA14149@server.eternity.org>
MIME-Version: 1.0
Content-Type: text/plain
Frank O'Dwyer writes:
> I'm familiar with C2Net. If Stronghold is any good, that is because
> C2net and/or the Apache team know what they are doing, not just because
> they picked up a free SSL library on the net. It's easy to build
> insecure products on good crypto, and many other companies are busy
> doing just that.
Perry recently posted a summary of his views on the appropriateness of
GPL vs BSD vs other licenses for achieving various aims, "free
software" under the GNU meaning, vs crypto software deployment. I
found Perrys summary to be the clearest on the topic so far.
You appear to be arguing with another aim in mind. You seem to be
arguing that the primary goal should be to have best security, from
the outset. ie one gets the impression from reading your previous two
posts that you consider ultimate security more important than
deployment. If this is what you are saying, I disagree.
As I argued further down, I think cypherpunk type goals are better met
my getting people to deploy first, then if they bodge it to encourage
them to fix it, and I gave the example of the Netscape RNG weakness
which was very quicly fixed once it was found:
> > Cypherpunks also get involved in breaking crypto, and this is usually
> > enough to get massively commercially deployed strong crypto with
> > unintentional flaws converted quickly into massively deployed crypto
> > without the flaws. eg. Netscape's random number generator weakness,
> > which netscape fixed immediately.
>
> That's condescending and irrelevant. Did anyone ever fix web spoofing?
Which is not in the least condescending or irrelevant as it gives an
example showing that having what turns out to be less than perfect
security can be fairly quickly remedied. And security is hard, even
competent people make mistakes. The important thing is to admit and
quickly fix such mistakes.
I've taken your comments on web spoofing to another post.
> Then I guess you agree that closed-source deployment is neither
> necessary nor sufficient to achieve "strong crypto". Not really sure why
> you're arguing in that case.
I don't think anyone suggesed that closed source deployment was in
anyway better than open source, and obviously open source is better
for verifying the quality of crypto software.
However, as was previously suggested, if deployment is the goal, and
if one uses for example a GNU license it tends to discourage
commercial (typically closed source) deployers, and as Lucky said:
: Many companies will not be able to source contaminated by GNU-style
: licensing restrictions. Consequently, alternatives would be
: found. Some of those alternatives, include using no crypto at all or
: using crypto written by somebody that does not understand
: crytography. Hardly the outcome a Cypherpunk would desire.
And I think at this stage something is vastly better than nothing.
> > You don't get it, but then have you ever written any crypto code with
> > the objective of undermining the power of the state? Is this your aim
> > in writing your open source application code that you name dropped?
>
> Yes, and yes.
Cool, what application area are these in? Got a URL?
> (I don't think you understand the term "name dropped" btw.
Just a comment on the Rick Smith (of Secure Computing) syndrome (read
crytopgraphy list you'll know about the book he wrote, because every
other post he makes involves it). Perhaps not appropriate in your
case, but if people mention software, it is nice to know some details:
why should we be interested in your software etc.
> But given the name-dropping and appeal-to-authority tone of your
> whole post, I wonder if you understand the term "irony").
Irony? Your post was intended to be ironic? What is ironic about
arguing that first cut security is more important than deployment?
This is cypherpunks, people tend to speak their mind, and usually
aren't too delicate about it -- welcome to the cypherpunks list.
Adam
--
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
Return to October 1998
Return to “Richard Stallman <rms@gnu.org>”