[Cryptography] Licensing of cryptographic services in France

Tue Aug 27 11:13:13 EDT 2024

At this point, we don't know what charges are going to be brought against
Durov in France. It is very likely that the 'failure to register to provide
cryptographic services' cited in the complaint is merely the equivalent of
a holding charge.

That said, there is a big difference between providing cryptographic
apparatus and providing cryptographic services and this is why I believe
Signal, Session and many other companies need to consider a change of
course because their current architectures make them sitting ducks for
hostile government intervention.

We all use SMTP email for one simple reason, it is an open network any mail
service provider can join. The need to control spam has made that a
'kinda/sorta' situation but the basic principle of many service providers,
one infrastructure stands.

Every cryptographic service provider to date has been designed as a
monolithic service. Signal has an open source client but you can only use
it with the Signal service.

This is a bad situation for users. Alice and Bob can only talk if they both
use the same messaging service provider. Getting someone to install Signal
so you can talk is a non-trivial task that many journalists are unable to
complete.

But it is also painting a target on the service providers and not just in
France. Take the recent legislation the Tories pushed through in the UK
which puts intercept requirements on the service providers.

An open network architecture in which each user chooses their own service
provider is robust against these types of attacks. It doesn't matter to
Alice if Signal shuts down in the UK, she can pick a different service
provider that is out of the jurisdiction or she can become her own service
provider.

The Mesh takes this a step further and makes it very easy for Alice to
switch service providers so that the service provider is always accountable
to Alice.

People don't have to adopt my code, but the reason I wrote the code is
precisely because I see the service provision as a point of pressure that
puts the operators of those services at risk. I have an existence proof for
an alternative approach.

As a result of the cryptowars, there tends to be an oppositional approach
to government regulation. But there are some legitimate government
interests. Having experienced multiple terrorist attacks on members of my
family, I would support lawful intercept if it was a feasible proposition.
The problem being that building a cryptographic apparatus suitable for use
by terrorists or the military who have a very high degree of interest in
using it correctly is a much easier proposition than building systems
suitable for use by civil servants which is in turn much easier than for
the general public.

But there are legitimate government concerns. Providing defective
cryptographic systems is harmful to government interests and providing a
system with an undeclared backdoor for a hostile government would be a
national security issue.

Another major government issue is competition. The free market is a quaint
theory but as Adam Smith observed, there is a tendency of people in the
same trade to conspire against the public. The walled garden model serves
the interests of the service providers but is a conspiracy against the
public and there is a legitimate government interest in forcing those
gardens to open up.

I am of course aware of the MIMI effort in IETF to produce the absolute
minimum level of interoperability possible to comply with the regulatory
requirements and turn the walled gardens into a profitable cartel. I don't
think this is going to work for anyone.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20240827/a202ef1d/attachment.htm>