[147314] in cryptography@c2.net mail archive
Re: [Cryptography] Gilmore response to NSA mathematician's
daemon@ATHENA.MIT.EDU (james hughes)
Sat Sep 28 12:45:01 2013
X-Original-To: cryptography@metzdowd.com
From: james hughes <hughejp@mac.com>
In-reply-to: <9AE709ED-8202-48DC-A958-FEDE001E063F@gmail.com>
Date: Thu, 26 Sep 2013 21:30:07 -0700
To: John Kelsey <crypto.jmk@gmail.com>
Cc: "cryptography@metzdowd.com List" <cryptography@metzdowd.com>,
James Hughes <hughejp@mac.com>, walter.van.holst@xs4all.nl,
Kent Borg <kentborg@borg.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============0920373203473761387==
Content-type: multipart/alternative;
boundary="Apple-Mail=_8D813CAD-BCEC-444A-87FF-B7B2F186C74C"
--Apple-Mail=_8D813CAD-BCEC-444A-87FF-B7B2F186C74C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
http://www.nytimes.com/2013/09/27/opinion/have-a-nice-day-nsa.html
On Sep 25, 2013, at 3:14 PM, John Kelsey <crypto.jmk@gmail.com> wrote:
> Right now, there is a lot of interest in finding ways to avoid NSA =
surveillance. In particular, Germans and Brazilians and Koreans would =
presumably rather not have their data made freely available to the US =
government under what appear to be no restrictions at all. If US =
companies would like to keep the business of Germans and Brazilians and =
Koreans, they probably need to work out a way to convincingly show that =
they will safeguard that data even from the US government.=20
I think we are in agreement, but I am focused on what this list -can- do =
and -can-not- do.
All the large banks have huge systems and processes that protect the =
privacy of their customers. It works most of the time, but no large bank =
can say they will never have an employee go bad.=20
My point is that this thread was moving towards the statement that =
citizens of country X should use service providers that "eliminate the =
need for trust". Because of subpoenas and collaboration this statement =
is true in whatever the country the service provider is in and who the =
3rd parties are. In essence, this is a tautology that has nothing to do =
with Cryptography. Even if a service provider could "convince you that =
they _can't_ betray you", it would either be naivet=E9 or simply be =
marketing.=20
The only real way to "eliminate the need for trust" from any service =
provider of any kind, or any country (your's or some other country), is =
to not use them.=20
The one problem that this list (cryptography@metzdowd.com) -can- focus =
on is that the bar has been set too low for the governments to be able =
to break a few keys and gain access to a lot of information. This is the =
violation of trust in the internet that, in part, has been enabled by =
weak cryptographic standards (short keys, non-ephemeral keys, subverted =
algorithms, etc.). I am not certain that Google could have done anything =
differently. Stated differently, Google (and all the world's internet =
service providers) are collateral damage.
The thing that this list can effect is the creation of standards with a =
valuable respect for Moore's law and increases of mathematical =
understanding. Stated differently, "just enough security" is the =
problem. This past attitude did not respect the very probably future =
that became a reality.=20
Are we going to continue this behavior? IMHO, based on what I have been =
seeing on the TLS list, probably.=20
Jim
--Apple-Mail=_8D813CAD-BCEC-444A-87FF-B7B2F186C74C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=iso-8859-1
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Diso-8859-1"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div><div style=3D"margin: 0px; "><a =
href=3D"http://www.nytimes.com/2013/09/27/opinion/have-a-nice-day-nsa.html=
">http://www.nytimes.com/2013/09/27/opinion/have-a-nice-day-nsa.html</a><b=
r></div></div><div style=3D"margin: 0px; font-size: 12px; =
"><br></div><div><div>On Sep 25, 2013, at 3:14 PM, John Kelsey <<a =
href=3D"mailto:crypto.jmk@gmail.com">crypto.jmk@gmail.com</a>> =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><span style=3D"font-family: Helvetica; font-size: medium; =
font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-align: =
-webkit-auto; text-indent: 0px; text-transform: none; white-space: =
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; =
-webkit-text-stroke-width: 0px; display: inline !important; float: none; =
">Right now, there is a lot of interest in finding ways to avoid NSA =
surveillance. In particular, Germans and Brazilians and Koreans =
would presumably rather not have their data made freely available to the =
US government under what appear to be no restrictions at all. If =
US companies would like to keep the business of Germans and Brazilians =
and Koreans, they probably need to work out a way to convincingly show =
that they will safeguard that data even from the US government.<span =
class=3D"Apple-converted-space"> </span></span></blockquote><div><br>=
</div></div><div>I think we are in agreement, but I am focused on =
what this list -can- do and -can-not- do.</div><div><br></div><div>All =
the large banks have huge systems and processes that protect the privacy =
of their customers. It works most of the time, but no large bank can say =
they will never have an employee go =
bad. </div><div><br></div><div>My point is that this thread was =
moving towards the statement that citizens of country X should use =
service providers that "eliminate the need for trust". Because of =
subpoenas and collaboration this statement is true in whatever the =
country the service provider is in and who the 3rd parties are. In =
essence, this is a tautology that has nothing to do with =
Cryptography. Even if a service provider could "convince you that =
they _can't_ betray you", it would either be naivet=E9 or simply be =
marketing. </div><div><br></div><div>The only real way =
to "eliminate the need for trust" from any service provider of =
any kind, or any country (your's or some other country), is to not use =
them. </div><div><br></div><div>The one problem that this list (<a =
href=3D"mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a>)&n=
bsp;-can- focus on is that the bar has been set too low for the =
governments to be able to break a few keys and gain access to a lot of =
information. This is the violation of trust in the internet that, in =
part, has been enabled by weak cryptographic standards (short keys, =
non-ephemeral keys, subverted algorithms, etc.). I am not certain that =
Google could have done anything differently. Stated differently, Google =
(and all the world's internet service providers) are collateral =
damage.</div><div><br></div><div>The thing that this list can effect is =
the creation of standards with a valuable respect for Moore's law and =
increases of mathematical understanding. Stated differently, "just =
enough security" is the problem. This past attitude did not respect the =
very probably future that became a =
reality. </div><div><br></div><div>Are we going to continue this =
behavior? IMHO, based on what I have been seeing on the TLS list, =
probably. </div><div><br></div><div>Jim</div><div><br></div></body></=
html>=
--Apple-Mail=_8D813CAD-BCEC-444A-87FF-B7B2F186C74C--
--===============0920373203473761387==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============0920373203473761387==--
