Search Mailing List Archives
[liberationtech] W3C WebCrypto Last Call for Comments *today*
carlo von lynX
lynX at time.to.get.psyced.org
Wed May 28 06:28:07 PDT 2014
Sorry libtech, some of the in-between mails were not forwarded
On Wed, May 28, 2014 at 02:21:55PM +0200, Anders Rundgren wrote:
> Asking for "consensus" on anything security-ish under these
> circumstances is simply put impossible.
That's because you can't build consensus if some participants
have an interest on dominating over others. The method of
consensus requires the group to remove such elements in order
to be able to work out a consensus which is best for the group -
and in this case the consensus must be privacy for humanity,
not security business models for companies or obligations to
their respective governments.
So the mistake in the method you are applying is well-researched
and has an answer. Issues concerning basic constitutional rights
of citizen must not be defined by a standards body open to
entities and elements with incompatible interests.
Thus, Webcrypto CANNOT be reasonably be brought forward by
either W3C or IETF. q.e.d.
> Following the logic in your reasoning, you should list all the
> algorithms that should be deprecated. I'm not a cryptographer
> but I'm quite familiar with security protocols and that's where
> things go really wrong. If you take a peek in the IETF-TLS
> list you will get an idea of the complexity building secure
That is a fallacy. Negotation is a bug. GNUnet comes with one
wise choice of a cipher. Should a sufficiently relevant new
cipher be invented, GNUnet will have a transition period -
but that's it. No backwards compatibility humbug forever.
> BTW, I'm not a member of the WebCrypto WG but I mentally support
> the work anyway. If somebody comes up with a better mousetrap
> I don't think anybody will object :-)
That's why you are perpetuating this debate which is VERY
much not in the interests of the W3C members. I like it.
Thank you for letting Eleanor's and my voice be heard.
> There were requests fora high-level API that would hide the
> complexity as well as always using the "best" algorithms.
Oh that's easy.. you can look at NaCl or EthOS for inspiration.
> It was rejected and IMO on correct grounds because there
> would be endless discussions on how such a thing would work
> and in the end nobody would be happy anyway.
It is totally among the duties of the advanced lobbyist to
know how to gently and delicately break consensus processes.
Of course a consensus could be found, but only among honest
participants. If you weren't successful, this is by today's
knowledge on democracy research a proof that your work has
been undermined by at least one participant who had no
interest in achieving consensus.
Or did you expect secret services would walk into the
working group meetings armed with machine guns and coerce
everyone into stopping to work on reasonable crypto
technologies for the masses?
More information about the liberationtech