Search Mailing List Archives
[liberationtech] W3C WebCrypto Last Call for Comments *today*
anders.rundgren.net at gmail.com
Wed May 28 12:31:42 PDT 2014
On 2014-05-28 16:55, Ryan Sleevi wrote:
> Again removing public-webcrypto-comments.
Yes, I forgot to mention that standardization efforts have nothing
to do with Democracy, Free speech, Level playing fields, or a
Quest for the best possible solution...
It is only about playing hard-ball, hallway lobbying and general
disrespect for small entities.
A part of the game is also to be completely uninterested in evaluating
alternative solutions to a problem.
> On May 28, 2014 7:33 AM, "Anders Rundgren" <anders.rundgren.net at gmail.com <mailto:anders.rundgren.net at gmail.com>> wrote:
> I don't have much to offer regarding the algorithm issues but I believe
> my 15Y+ with (mainly unsuccessful) security standardization efforts
> have given me at least a perspective on this.
> There are no entirely objective and honest persons around.
> We all have something to defend like "professional relevance",
> our employer's legacy systems, and last but not least our egos.
> The W3C also have another objective: keeping their big members
> happy since they pay their salaries.
> In addition, people have rather different personalities making
> it hard getting a reasonable climate for open discussions.
> I once complained to Linus Torvalds that Linux lacked cryptographic
> architecture and he said he had given up on that since security-
> people never agree on anything. I think he is right :-(
> On 2014-05-28 15:28, carlo von lynX wrote:
> Sorry libtech, some of the in-between mails were not forwarded
> to you.
> On Wed, May 28, 2014 at 02:21:55PM +0200, Anders Rundgren wrote:
> Asking for "consensus" on anything security-ish under these
> circumstances is simply put impossible.
> That's because you can't build consensus if some participants
> have an interest on dominating over others. The method of
> consensus requires the group to remove such elements in order
> to be able to work out a consensus which is best for the group -
> and in this case the consensus must be privacy for humanity,
> not security business models for companies or obligations to
> their respective governments.
> So the mistake in the method you are applying is well-researched
> and has an answer. Issues concerning basic constitutional rights
> of citizen must not be defined by a standards body open to
> entities and elements with incompatible interests.
> Thus, Webcrypto CANNOT be reasonably be brought forward by
> either W3C or IETF. q.e.d.
> Following the logic in your reasoning, you should list all the
> algorithms that should be deprecated. I'm not a cryptographer
> but I'm quite familiar with security protocols and that's where
> things go really wrong. If you take a peek in the IETF-TLS
> list you will get an idea of the complexity building secure
> That is a fallacy. Negotation is a bug. GNUnet comes with one
> wise choice of a cipher. Should a sufficiently relevant new
> cipher be invented, GNUnet will have a transition period -
> but that's it. No backwards compatibility humbug forever.
> BTW, I'm not a member of the WebCrypto WG but I mentally support
> the work anyway. If somebody comes up with a better mousetrap
> I don't think anybody will object :-)
> That's why you are perpetuating this debate which is VERY
> much not in the interests of the W3C members. I like it.
> Thank you for letting Eleanor's and my voice be heard.
> There were requests fora high-level API that would hide the
> complexity as well as always using the "best" algorithms.
> Oh that's easy.. you can look at NaCl or EthOS for inspiration.
> It was rejected and IMO on correct grounds because there
> would be endless discussions on how such a thing would work
> and in the end nobody would be happy anyway.
> It is totally among the duties of the advanced lobbyist to
> know how to gently and delicately break consensus processes.
> Of course a consensus could be found, but only among honest
> participants. If you weren't successful, this is by today's
> knowledge on democracy research a proof that your work has
> been undermined by at least one participant who had no
> interest in achieving consensus.
> Or did you expect secret services would walk into the
> working group meetings armed with machine guns and coerce
> everyone into stopping to work on reasonable crypto
> technologies for the masses?
More information about the liberationtech