[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: propose: `cypherpunks license' (Re: Wanted: Twofish source code)





Mr Johnny Come Lately writes:
> Having said that I do question whether take-up of free crypto components
> by commercial companies genuinely results in "strong cryptographic
> products". I'm not meaning to denigrate Eric's work in any way, but in
> my experience the likes of SSLeay is very often shovelled into products
> by companies who don't understand crypto, don't understand SSL, and
> barely understand SSLeay. Even those who do understand what they are
> doing are typically working "on Internet time". Certainly merely linking
> to SSLeay does NOT result in a "strong cryptographic product", not by
> any stretch of the imagination.

Let me clue you in here: you are talking to the Caped Green one, who
currently is working for C2Net, which just happens to be selling
Stronghold, a commercial version of Apache, which is the most widely
used secure web server in the world.  Guess what: Apache uses SSLeay,
and Stronghold also inherits this.

I would also rate the folks at C2Net as pretty crypto clueful, btw.
2nd hint: C2Net is currently employing Eric Young also, and Eric's
SSLeay still has the same license.

> > The bottom line is that GNU-licensing is more restrictive than
> > BSD/SSLeay-style licensing. Hence identical freeware will see less
> > deployment under GNU than under BSD.
> >
> > Cyphpunks believe that more strong crypto is better.
> 
> Well then, "Cypherpunks write code". Wide deployment of crypto
> components in closed-source programs (especially by cluebags) is neither
> necessary nor sufficient to achieve "more strong crypto" in the sense
> that Cypherpunks mean it, in my opinion. (Yes, it's better than nothing,
> but not much better.)

What sense do cypherpunks mean strong crypto in then?  Perhaps you
could educate us?

They mean lots of crypto out there firstly, so that the when the
government tries the next GAK initiative the government has less
chance of pushing it through, as more people know what crypto is, and
understand how outrageous mandatory domestic GAK is.  Secondly they
mean strong crypto, as in full key strengths, and no flaws.  But
mainly their interest in deploying strong crypto by whatever means
available (commercial, freeware, or whatever) for a purpose: to
undermine the power of the state, to allow people to go about the
business unhindered by the state.

Cypherpunks also get involved in breaking crypto, and this is usually
enough to get massively commercially deployed strong crypto with
unintentional flaws converted quickly into massively deployed crypto
without the flaws.  eg. Netscape's random number generator weakness,
which netscape fixed immediately.

> > The conclusion in the GNU vs. BSD/SSLeay/etc. license debate
> > should be clear.
> 
> Well, it clearly isn't, as evidenced by the large number of fairly
> bright people arguing about it. :)

It's clear to pretty much all the cypherpunks I've seen contribute to
the thread, Eric, Perry, Adam Shostack, Jim McCoy, Bruce Schneier.
Probably there were some others who contributed to the thread also.

You don't get it, but then have you ever written any crypto code with
the objective of undermining the power of the state?  Is this your aim
in writing your open source application code that you name dropped?

This is what I meant by my short rant about coderpunks detracting from
the cypherpunk objective: siphons off 'punks from cypherpunks into a
crypto-politically neutral environment.  Then it gets increasingly
more crypto-politically neutral subscribers, and anyone reminding or
commenting that the original aim of the game was to distribute strong
crypto to undermine the state, gets told by the local retro moderators
that political stuff isn't welcome.

Try reading the cyphernomicon (*), if you haven't.

Adam
	(*) http://www.oberlin.edu/~brchkind/cyphernomicon/