[Cryptography] How to De-Bollocks Cryptography?

[Phillip Hallam-Baker]

On Mon, Aug 12, 2024 at 1:11 PM Kent Borg <kentborg at borg.org> wrote:

> On 8/12/24 05:25, Peter Gutmann wrote:
>
> There's also a tendency for protocol designers / standards committees to
> design mechanisms to try and address every imaginary issue everyone on the
> standards committee could ever dream up, including a great many that don't
> actually exist.
>
> Ah, committees. Paper is cheap. Even cheaper now that mostly no one ever
> prints anything.
>
>
> If only there were someone with some common sense and visibility and
> cryptography credentials to lead an effort to define a "TLSsimple"
> standard. (Mostly a job of just deleting stuff, right?)
>
> And then get some Rust folk to implement a solid version of it, I hear
> there is funding for such things. It could be small enough to run in fairly
> restricted embedded devices, even
>
I don't think TLSsimple is what we need. What we really need is a protocol
to do secure Web Services in which each transaction is individually and
discretely authenticated so that injection attacks are defeated. Web
Services are poorly served by TLS security and make almost no use of HTTP.
So go straight to a HTTPS alternative designed for Web Services - which is
what I have written.

Now unfortunately, it will get a bit more complex in the next week or so
because I am going to have to add in PQC security, well because nobody is
going to switch to a next gen PKI unless it is PQC.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20240813/f7cb3bdf/attachment.htm>