[Cryptography] Cue the blamestorming

ianG iang at iang.org
Thu Apr 17 20:12:06 EDT 2014


On 17/04/2014 18:10 pm, Phillip Hallam-Baker wrote:
> There but for the grace of ...
> 
> Remember DigiNotar and the proposals made then for what to do to the
> next CA to screw up? The plot writers for Game of Thrones could have
> got some ideas there.
> 
> Hasn't taken long for people to start in on the same type of cheap
> talk on OpenSSL.

Just on that point, there are also actions to balance words, it seems:

http://undeadly.org/cgi?action=article&sid=20140415093252

    Changes so far to OpenSSL 1.0.1g since the 11th include:

        Splitting up libcrypto and libssl build directories
        Fixing a use-after-free bug
        Removal of ancient MacOS, Netware, OS/2, VMS and Windows build junk
        Removal of “bugs” directory, benchmarks, INSTALL files, and
shared library goo for lame platforms
        Removal of most (all?) backend engines, some of which didn’t
even have appropriate licensing
        Ripping out some windows-specific cruft
        Removal of various wrappers for things like sockets, snprintf,
opendir, etc. to actually expose real return values
        KNF of most C files
        Removal of weak entropy additions
        Removal of all heartbeat functionality which resulted in Heartbleed

https://lobste.rs/s/3utipo/openbsd_has_started_a_massive_strip-down_and_cleanup_of_openssl/comments/fkwgqw




> We have some big problems here.

+1

> And the fact that the US govt. which
> we thought was making a significant contribution to COMSEC through the
> NSA turns out to have spent less than 0.5% of its budget on COMSEC
> standards related activities and most of that went into sabotage.

Yes, that particular misinformation campaign has been revealed.  I'm not
sure who it was aimed at tho...


> So I have been looking into some structural alternatives. We need
> resources. But more importantly we need to know how to apply them.
> Right now I have no doubt that we can work out a solution for OpenSSL.
> But that is not the only underfunded software project that has a major
> impact on a critical resource.
> 
> We have to look at all the points where we might be vulnerable and fix them.


Yes. This is perhaps happening as we speak in the world of Bitcoin.  The
design, first aired in this forum about 4 years back, eliminated the
single point of failure known as the issuance server (or mint or bank,
etc).  However it ended up with a single point of failure known as the
dev team.

Right now the dev team faces a dual pincer movement.  The volunteers are
too scared to make the radical changes that are needed to keep up with
developments, and the businesses out there are busily strip-mining the
team for developers.  This ensuring no independence and a facade of open
source, as we've seen with other notable corporate-controlled programs.

Why is this happening?  Well, one can poke a lot of factors.  Point
remains that Phillip's comment about systemic weaknesses in the security
projects is now emerging as a big issue.


> We also need to bring government resources to bear because there are
> some things that are really hard to achieve in either a commercial or
> a volunteer model.


That's not a sufficient reason.  You'd also have to show that the
government can do a better job, rather than make a bigger mess.  I err
on the latter, so I'm interested to hear claims to the former.


> The WebPKI was designed to support multiple CAs for a reason. Having
> multiple CAs does create an incentive for each to keep their
> competitors honest. So now we play that game with governments. We
> don't need 50 but we need more than the US or the US plus UK and
> Canada.


He:) that rabbit hole, too late for me.



iang


More information about the cryptography mailing list