[Cryptography] How to build trust in crypto (was:recommending ChaCha20 instead of RC4)

Ralf Senderek crypto at senderek.ie
Sun Mar 16 10:57:51 EDT 2014


On Sat, 15 Mar 2014 16:31:05 ianG wrote:

>  If people stop believing in institutions such as standards bodies,
>  certification bodies, and governments, the question is, what or whom
>  will they trust?  And what could actually deliver that trust?

On Sun, 16 Mar 2014 05:33:57 James A. Donald wrote:

>  Trust individuals.

>  Let us have Jon Callas as unelected president for life of symmetric
>  cryptography, Bernstein as God King of public key cryptography.

On Sat, 15 Mar 2014 23:34:34 Stephen Farrell wrote:

>  But for me I conclude that trying to make as much of the
>  technology that gets used have as much resistance against
>  this attack is the approach to try, while not aiming for
>  perfection, and without claiming that other approaches are
>  that wrong.

It seems to me that it might make sense to get an open competition
going to elect a process of building trust in crypto that actually
works in practice and gets us out of the situation we're stuck in today:

The challenge is this:

"Show me the whole practical process anyone on this planet can use to
have a secure online communication with someone else."

The proposals must not be reduced to technical specifications but need to
show how exactly we can achieve the results of trust building. In this
process individuals must play an important role. As a precondition the
process must be entirely comprehensible and verifiable, so that a variety
of smart people - including the President and the God King - can expose
themselves to say "Yes, I've checked this approach, I know of N capable
colleagues that I know have scrutinized the code and the inner workings.
I might be wrong, but I sincerely would recommend to use this to my wife."

The successful winner of this competition won't be perfect, it won't
guarantee that the NSA cannot subvert it, it wouldn't even guarantee
that it'll be widely used in practice, but it would be a foundation
for the mammoth task that lies before us, to take back the internet.

Including the personal aspects, the need for a reliable framework that
shows all checks have actually been done in a way people can understand
might make this approach a success. I hope this can help to get the
ship going again, and I'm sure others will have much better ideas how
to achieve trust in crypto. Don't keep them to yourself.

     --ralf


More information about the cryptography mailing list