Practice Cryptography!
Even with all of the cryptologic and cryptographic technology that has existed in the world for the past 60 years, we still don't really know what encryption is good for or how to use it -- or, more importantly, why it's important. Maybe it's time for people and coders to actually start practicing how to use it, like any other skill.Friday, January 18, 2008
What do we need to identify and authenticate?
When we're using cryptography, what do we need to identify and authenticate?
Some folk think that by applying a digital signature to something, it's the same as a physical, handwritten signature. Yet, there's no legal reason for this (except perhaps the digital signatures act, which allows for certain digital signatures to be recognized in certain transactions -- but which doesn't assign any meaning to any other digital signature).
I think that there are things that cryptography would be good for, and it's very important to realize that we've got problems in the real world right now that cryptography can solve even without legal recognition.
The Cypherpunks (site http://www.cypherpunks.ca/ ) created OTR -- "Off The Record". This allows for verification of received messages at the time of receipt, without any kind of verifiable log. This means that your conversation is private while it's going on, and also means that either end can forge messages in their own logs. This is perfect from a conversational privacy standpoint, as it re-introduces the concept of "he said she said" -- I have deniability of anything I say to you, and vice versa. It can't be proven that I (or you) actually said anything, so cryptography is made less scary to use.
This is the kind of thing that we need to see more of. Instead of letting the governmental bureaucrats who created X.509 and pushed it on us dictate how cryptography must be used... we should find our own ways to use it, for the purposes that we want and that we intend.
Some folk think that by applying a digital signature to something, it's the same as a physical, handwritten signature. Yet, there's no legal reason for this (except perhaps the digital signatures act, which allows for certain digital signatures to be recognized in certain transactions -- but which doesn't assign any meaning to any other digital signature).
I think that there are things that cryptography would be good for, and it's very important to realize that we've got problems in the real world right now that cryptography can solve even without legal recognition.
The Cypherpunks (site http://www.cypherpunks.ca/ ) created OTR -- "Off The Record". This allows for verification of received messages at the time of receipt, without any kind of verifiable log. This means that your conversation is private while it's going on, and also means that either end can forge messages in their own logs. This is perfect from a conversational privacy standpoint, as it re-introduces the concept of "he said she said" -- I have deniability of anything I say to you, and vice versa. It can't be proven that I (or you) actually said anything, so cryptography is made less scary to use.
This is the kind of thing that we need to see more of. Instead of letting the governmental bureaucrats who created X.509 and pushed it on us dictate how cryptography must be used... we should find our own ways to use it, for the purposes that we want and that we intend.
Archives
2006-02-12 2006-02-19 2006-02-26 2006-03-05 2006-03-12 2006-03-19 2006-03-26 2006-04-02 2006-04-09 2006-04-16 2006-04-23 2006-07-23 2008-01-13 2008-01-20 2008-02-03 2008-02-17 2008-03-16 2008-04-06 2008-05-11
