[Cryptography] To what is Anderson referring here?

ianG iang at iang.org
Wed Jun 4 09:54:56 EDT 2014


On 4/06/2014 06:50 am, Christian Huitema wrote:
>> The following text appears in the Ross Anderson paper I just 
>> forwarded the link to:  "A security-economics example is the 
>> thicket of conflicting patent claims on authentication protocols, 
>> one of the two main reasons we’ve been unable to improve
>>  browser security and deal with phishing...."  What patents is he
>>  referring to?
> 
> Two examples come to mind. RSA deployments definitely became easier after
> the patent expired, and we may be witnessing a variation of that with
> elliptic curves.


Hmmm... good ideas, let's analyse, fwiw?

I would call the RSA comment perverse but not entirely inaccurate.  RSA
patent was a hugely influential force in the choice of SSL/RSA/certs in
the 1994 timeframe.  This model was imposed more from a marketing pov
(RSADSI had a patent to sell..).

The result was phishing.  The perverse part here is that phishing didn't
start up until around 2003, by which time the RSA patent was no longer
an issue.  I think it is a stretch to blame the patent for the phishing
thing, it's a factor, but it isn't a central factor.

FWIW, I never heard of patents being a problem in all my observations of
the phishing wars.  It's best explained by an institutional &
competition framework in deadlock with the CA-WG-CabForum-vendor
primaries, and others around the edges;  as is described frequently any
time someone asks.

The second comment in that paper by Anderson [0]:

    (the other is the network effect created by the
    two-sided market in servers and clients; no merchant
    wants to change its web server if it would lose even
    a few percent of web browsers).

I wouldn't disagree with as an issue, but I would say it doesn't get to
the nub of the problem, because there are things that can be done that
don't effect the two-sided market;  and they weren't done.  And in some
cases they were rolled back (the yellow bar, the independent audit).

I'd say the two-sided observation is more an excuse that was frequently
rolled out by those who were incentivised to not fix it.


> EKE would probably be deployed more often if people were
> not concerned with the patents.


Again, I'm unaware of anyone pushing that.  I grant that the patents
might have knocked it out as a solution.  But where there's a will,
there's a way;  if people really want the solution, we've generally
found a way.  So, skepticism.



iang



[0]  http://weis2014.econinfosec.org/papers/Anderson-WEIS2014.pdf


More information about the cryptography mailing list