The wisdom of the ill informed
netsecurity at sound-by-design.com
Mon Jun 30 14:47:54 EDT 2008
Nicolas Williams wrote:
> On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote:
>> Given this, the real question is, /"Quis custodiet ipsos custodes?"/
> Putting aside the fact that cryptographers aren't custodians of
> anything, it's all about social institutions.
Well, I wouldn't say they aren't custodians. Perhaps not in the
sense that the word is commonly used, but most certainly in the
sense custodians of the wisdom used to make the choices. This is
exemplified by Bruce Schneier, an "acknowledged expert," changing
his mind about the way to do security from "encrypt everything" to
"monitor everything." Yes, I have simplified his stance, but just to
make the point that even experts learn and change over time.
> There are well-attended conferences, papers published online and in many
> journals, etcetera. So it's not so difficult for people who don't know
> anything about security and crypto to eventually figure out who does, in
> the process also learning who else knows who the experts are.
Actually I think it is just about as difficult to tell who is a
trustworthy expert in the field of cryptography as it is in any
field of science or medicine. Just look at the junk science and
medical studies. One retrospective study of 90+ clinical trials
found that over 600 potentially important reaction to the drugs
occurred but only 39 were reported in the papers. I suspect if we
did the same sort of retrospective study for cryptography we would
find some similar issues, just, perhaps, not as large because there
is not as much money to be made with junk cryptography as junk
> For example, in the IETF there's an institutional structure that makes
> finding out who to ask relatively simple. Large corporations tend to
> have some experts in house, even if they are only expert in finding the
> real experts.
> We (society) have new experts joining the field, with very low barriers
> to entry (financial and political barriers to entry are minimal -- it's
> all about brain power), and diversity amongst the existing experts.
> There's no major personal gain to be had, besides fame, and too much
> diversity and openness for anyone to have a prayer of manipulating the
> field undetected for too long.
I'm curious, how does software get sold for so long that is clearly
weak or broken? Detected, yes, but still sold like Windows LANMAN
> When it comes to expertise in crypto, Quis custodiet ipsos custodes
> seems like a relatively simple problem. I'm sure it's much, much more
> difficult a problem for, say, police departments, financial
> organizations, intelligence organizations, etc...
Well, Nico, this is where I diverge from your view. It is the
"police departments, financial organizations, intelligence
organizations, etc..." who deploy the cryptography. Why should they
be able to do that any better than they do anything else? I suspect
that a weakness in oversight in one area is likely to reflect a
weakness in others as well. Not total failure, just not done the
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography