[Cryptography] Why aren’t we using SSH for everything?

Nico Williams nico at cryptonector.com
Sun Jan 4 20:35:02 EST 2015


On Mon, Jan 05, 2015 at 01:37:28PM +1300, Peter Gutmann wrote:
> Yup, IPsec is a whole minefield of problems.  For example:
> 
>   [horrors elided]
> 
> This illustrates what I mentioned in my previous message, that IPsec's
> transparency means that "it's indistinguishable from security that's not
> present".

Exactly.  Security must be easier than OpenSSL's API, much, *much*
easier.  But it can't be entirely transparent.  The user(s) has(have) to
play some role, and human-meaningful _names_ are the key.

Naming must be simple, and it doesn't get much simpler than DNS (for
hosts) and name at domain for most other things.  Add confusable script
detection and protection against that and I don't think we'll do much
better on that front.

The sooner we accept this, the better.

Nico
-- 


More information about the cryptography mailing list