Practice Cryptography!
Even with all of the cryptologic and cryptographic technology that has existed in the world for the past 60 years, we still don't really know what encryption is good for or how to use it -- or, more importantly, why it's important. Maybe it's time for people and coders to actually start practicing how to use it, like any other skill.Thursday, March 02, 2006
Standards... that aren't.
"pkcs12_parse will, in its current form, only parse well-formed PKCS#12 files which contain a private key, its corresponding certificate, and zero or more CA certificates." -- Dr. Stephen Henson, openssl_users mailing list, 2006Mar02.
Every standard that exists in the cryptographic literature has cross-references to pretty much every other standard that exists in the cryptographic literature. You can't read the TLS 1.1 specification without a cross-reference to an obsolete version of the PKCS#1 specification, which it ACKNOWLEDGES as obsolete, but which was maintained "to minimize terminology differences between TLS 1.0 and TLS 1.1".
It's almost impossible to find all the specifications you're looking for. Worse, such as in the case of the ITU, many of the specifications cost real amounts of money, as though they expect that only corporations with deep pockets are going to be using them. (Individuals can get 3 specifications per year free from the ITU, but that's not really of much help when THEIR specifications all cross reference each other so that you need some kind of graph to figure out what you need and what you don't.)
So, I say, let them. Let the big corporations use the ITU specifications, which have been shown to be impossible to implement, impossible to understand, and rife with security problems. The only reason why they're the standard (and why the IETF bows to them) is because nobody has come up with a different, better standard... the only person who ever led an attempt to try something else was Phil Zimmerman, the guy who wrote PGP.
We need to practice cryptography. We need to understand what it is we do, and we need to find what's wrong in current practice and fix it. We need to reduce the complexity of using it, while learning how to implement it securely. (Developers, this also means that you need to learn how to build secure programs and operating systems, as well as secure cryptographic pieces.)
The only way we can maintain our privacy is by applying rigorous security to our information. The only way we can be sure we're talking to who we think we're talking to is by applying rigorous security to our interactions. The only way we can be sure that we're getting what the other person is saying is by applying rigorous security to our communications. These are axiomatic -- why should we let anyone else dictate the terms of how we do it?
Every standard that exists in the cryptographic literature has cross-references to pretty much every other standard that exists in the cryptographic literature. You can't read the TLS 1.1 specification without a cross-reference to an obsolete version of the PKCS#1 specification, which it ACKNOWLEDGES as obsolete, but which was maintained "to minimize terminology differences between TLS 1.0 and TLS 1.1".
It's almost impossible to find all the specifications you're looking for. Worse, such as in the case of the ITU, many of the specifications cost real amounts of money, as though they expect that only corporations with deep pockets are going to be using them. (Individuals can get 3 specifications per year free from the ITU, but that's not really of much help when THEIR specifications all cross reference each other so that you need some kind of graph to figure out what you need and what you don't.)
So, I say, let them. Let the big corporations use the ITU specifications, which have been shown to be impossible to implement, impossible to understand, and rife with security problems. The only reason why they're the standard (and why the IETF bows to them) is because nobody has come up with a different, better standard... the only person who ever led an attempt to try something else was Phil Zimmerman, the guy who wrote PGP.
We need to practice cryptography. We need to understand what it is we do, and we need to find what's wrong in current practice and fix it. We need to reduce the complexity of using it, while learning how to implement it securely. (Developers, this also means that you need to learn how to build secure programs and operating systems, as well as secure cryptographic pieces.)
The only way we can maintain our privacy is by applying rigorous security to our information. The only way we can be sure we're talking to who we think we're talking to is by applying rigorous security to our interactions. The only way we can be sure that we're getting what the other person is saying is by applying rigorous security to our communications. These are axiomatic -- why should we let anyone else dictate the terms of how we do it?
Archives
2006-02-12 2006-02-19 2006-02-26 2006-03-05 2006-03-12 2006-03-19 2006-03-26 2006-04-02 2006-04-09 2006-04-16 2006-04-23 2006-07-23 2008-01-13 2008-01-20 2008-02-03 2008-02-17 2008-03-16 2008-04-06 2008-05-11
