ietf
[Top] [All Lists]

Re: Last Call: <draft-farrell-perpass-attack-02.txt> (Pervasive Monitoring is an Attack) to Best Current Practice

2013-12-09 02:00:22
Hi there,

Knives have their dangers, and the metal-processing industry should not
be encouraging their widespread adoption.

Funny - that conclusion, which is analogous to yours, doesn't make much
sense to me. Does it to you?

Encryption is a tool - it's neither good nor bad in itself. What you do
with it is the question.

The analogy that come to my mind is not knives, but guns.

You're trying to drag me with my knives into a gunfight (pun
inevitable). But that won't work: I've chosen the analogy with a bit of
care:

Knives are easily available to anyone, just like encryption.

The distribution of knives can't reasonably be regulated so that they
are only available to few sanctioned bodies; they are simple to
manufacture, "blueprints" if you think you need some can be found
easily, and the raw materials cannot be held away from the public
either; they are just too useful for any sort of purposes.

The same goes for encryption: anyone with a compiler can implement the
publicly available algorithms and manufacture an encrypting/decrypting
device of program himself (for you probably "Weapon of Mass Encryption"
;-) [*] ). In fact, it has happened hundreds of times and nobody raises
an eyebrow.

In both, the product has already proliferated, and it is not possible to
roll back to a state where it hasn't.

Also, both of those have proven to have both too numerous and
unquantifiable good and bad uses, and both of it in scale; there is no
obvious, generally-accepted world-wide agreement that either of the two
can only be used for nefarious purposes.

So, I feel good comparing these two tools.

Contrary to that, your comment tries to drag me into comparing
encryption with a class of tool (yes, it also is one) which fails
comparability to encryption in all the points I made above:

Guns are not easily available to anyone. In absolute terms, they *are*
though; regulation merely raises the bar to get one. I guess if you
really want one, there are plenty of ways getting one illegally in most
countries of the world. Otherwise, the terrorists wouldn't have guns,
would they? This in itself makes your point below a bit moot: if you'd
heavily regulate the use of encryption, it would still keep being
available; and with the bar too high for John Does, its use would become
common only for those who have something to hide.

Guns have not (yet) proliferated; governments try to keep in a state
where this doesn't happen. They do struggle with this in the 3D printer
age now; it will be interesting to see how they can cope with that step
towards proliferation.

Guns have a much harder time proving that they have good uses
outweighing/getting on par with the bad ones. Encryption has proven its
good uses plenty of times; it also has its bad ones, but due its general
applicability to any sort of communication on a much more equal scale
than guns do.

You couldn't even make a point to the contrary: your "argumentation" in
your original mail merely managed to point out two singular uses where
the use of encryption didn't match your personal point of view of being
"good". If the same encryption technology is used by demonstrating
masses in totalitarian countries, which enabled them to lead to a
revolution towards democracy, your opinion on exactly the same use of
technology might have swung around.

So, to sum up: encryption is a general-use technology. Your attempt to
position it as a threat to society is rather futile.

Many, probably most, countries in the world place quite stringent
restrictions on what their citizens can do in owning or using guns.
Were the UN to produce a convention restricting their use, one country
one vote, I expect that it would be passed with a large majority.  The
evil done by terrorists, criminals, evil empires and so on with guns
outweighs the good.

The technology is neutral; the user of it is evil or not, as the case
may be.


If encryption makes terrorism, crime and so on more likely, then we
could see countries impose restrictions on encryption in the same way as
for guns, and a few years down the line, the role of the IETF in
encouraging the use of strong encryption could be seen as a serious
misjudgment, one that is damaging to the standing of the IETF.

Authentication is fine, in fact I think that it is grossly misunderstood
and underused and does not, as far as I can see, pose a threat;
encryption is a different matter.

Now that is really quite a bit short-sighted.

Authentication without encryption allows every listener (including those
in the perpass sense) to find out who exactly made the statement, with
some strong amount of provability. If at the same time banning
encryption, this exposes everyone's communication to the world, with no
way of provable deniability, and no way of talking in private.

This is like a dream for perpass-style attackers.

With the kind of statements you made in this thread, I can't help but
wonder on whose paycheck you are. I read British Telecom as per your
your mail address (and certainly hope that you are not representing
company opinion), but can't help think it's "5 Eyes" instead.

Greetings,

Stefan Winter

[*] IETFers should really wear T-Shirts stating "I produce Weapons of
Mass Encryption" :-)
-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

<Prev in Thread] Current Thread [Next in Thread>