[Cryptography] Long-term security (was Re: ratcheting DH strengths over time)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Nov 17 23:42:13 EST 2015


Ray Dillinger <bear at sonic.net> writes:

>If you want an automatic update, that's a fine way to prevent an expiry from
>happening in the usual case.

It's also a fine way to break your entire customer base's operations in one
fell swoop.  The rule in embedded has always been "once it's installed and
configured, never ever touch it again".  Routers and the like (or more
generally Internet of Targets, IoT) count as embedded, not desktop PCs.
Autopatch/autoupdate for embedded is inconceeeevable.

You can't even present this as a business proposition.  If people cared about
having supported, updated devices then Linksys would be out of business and
everyone would buy Draytek (see my earlier post on support for these).  For
another example, no-one would ever buy Canon scanners again and Epson would
own the market (they're still releasing x64 driver updates for scanners dating
from Windows XP).

So you've got something that people won't take care of (and by "people" I mean
ones other than hardcore geeks), the market won't take care of, and you can't
legislate without comitting political suicide.  It's easy enough to
philosophise about it, but there's no obvious practical fix.

Peter.


More information about the cryptography mailing list