[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: propose: `cypherpunks license' (Re: Wanted: Twofish source code)




Adam Back wrote: 
> Mr Johnny Come Lately writes:

Adam, in future please spare me your warrantless insults. Thanks.

> > Having said that I do question whether take-up of free crypto components
> > by commercial companies genuinely results in "strong cryptographic
> > products". I'm not meaning to denigrate Eric's work in any way, but in
> > my experience the likes of SSLeay is very often shovelled into products
> > by companies who don't understand crypto, don't understand SSL, and
> > barely understand SSLeay. Even those who do understand what they are
> > doing are typically working "on Internet time". Certainly merely linking
> > to SSLeay does NOT result in a "strong cryptographic product", not by
> > any stretch of the imagination.
> 
> Let me clue you in here: you are talking to the Caped Green one, who
> currently is working for C2Net, which just happens to be selling
> Stronghold, a commercial version of Apache, which is the most widely
> used secure web server in the world.  Guess what: Apache uses SSLeay,
> and Stronghold also inherits this.

I'm familiar with C2Net. If Stronghold is any good, that is because
C2net and/or the Apache team know what they are doing, not just because
they picked up a free SSL library on the net. It's easy to build
insecure products on good crypto, and many other companies are busy
doing just that. In fact, it's funny that you tout a "secure web server"
as "strong crypto" since in that context SSL is usually vulnerable to
being end-run by web spoofing. Oops. Oh well, it uses strong crypto, so
it must be good.

> > > The bottom line is that GNU-licensing is more restrictive than
> > > BSD/SSLeay-style licensing. Hence identical freeware will see less
> > > deployment under GNU than under BSD.
> > >
> > > Cyphpunks believe that more strong crypto is better.
> >
> > Well then, "Cypherpunks write code". Wide deployment of crypto
> > components in closed-source programs (especially by cluebags) is neither
> > necessary nor sufficient to achieve "more strong crypto" in the sense
> > that Cypherpunks mean it, in my opinion. (Yes, it's better than nothing,
> > but not much better.)
> 
> What sense do cypherpunks mean strong crypto in then?  Perhaps you
> could educate us?
> 
> They mean lots of crypto out there firstly, so that the when the
> government tries the next GAK initiative the government has less
> chance of pushing it through, as more people know what crypto is, and
> understand how outrageous mandatory domestic GAK is.  Secondly they
> mean strong crypto, as in full key strengths, and no flaws.  But
> mainly their interest in deploying strong crypto by whatever means
> available (commercial, freeware, or whatever) for a purpose: to
> undermine the power of the state, to allow people to go about the
> business unhindered by the state.

Then I guess you agree that closed-source deployment is neither
necessary nor sufficient to achieve "strong crypto". Not really sure why
you're arguing in that case.

> Cypherpunks also get involved in breaking crypto, and this is usually
> enough to get massively commercially deployed strong crypto with
> unintentional flaws converted quickly into massively deployed crypto
> without the flaws.  eg. Netscape's random number generator weakness,
> which netscape fixed immediately.

That's condescending and irrelevant. Did anyone ever fix web spoofing?

> > > The conclusion in the GNU vs. BSD/SSLeay/etc. license debate
> > > should be clear.
> >
> > Well, it clearly isn't, as evidenced by the large number of fairly
> > bright people arguing about it. :)
> 
> It's clear to pretty much all the cypherpunks I've seen contribute to
> the thread, Eric, Perry, Adam Shostack, Jim McCoy, Bruce Schneier.
> Probably there were some others who contributed to the thread also.
> 
> You don't get it, but then have you ever written any crypto code with
> the objective of undermining the power of the state?  Is this your aim
> in writing your open source application code that you name dropped?

Yes, and yes. (I don't think you understand the term "name dropped" btw.
But given the name-dropping and appeal-to-authority tone of your whole
post, I wonder if you understand the term "irony").

Cheers,
Frank O'Dwyer.