[saag] Comment on open source Re: keys under doormats: is our doormat ok?
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 16 July 2015 14:16 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D5E31B3C71 for <saag@ietfa.amsl.com>; Thu, 16 Jul 2015 07:16:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yu2di2ENnB0V for <saag@ietfa.amsl.com>; Thu, 16 Jul 2015 07:16:37 -0700 (PDT)
Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE5851A9072 for <saag@ietf.org>; Thu, 16 Jul 2015 07:16:36 -0700 (PDT)
Received: by lblf12 with SMTP id f12so44534713lbl.2 for <saag@ietf.org>; Thu, 16 Jul 2015 07:16:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:cc:content-type; bh=Kz1RPCMHKY4dN2KdjtkUBdNotwrN6QmycavQt68sgz4=; b=UFapO8x7vRxHPdQC3XIbwuWOdX1IbVb1EAHFQpAQvu48E6rBxz0lkZZVsPLXD5KObb rJ1vV1+hg7LoeRSdl5QQWDA90UyMKA6n8RdtZcTQN6Uxn1GqTpKGmVPepr3OPljXaxpN zXlP6PMNXlmSRUz74oiMABZ4KgLthLEOQhmWQORFP8BFPWMZVB+8dB/T5AeDD9zvCxM8 ZxSKyb1E9SVkvj4W8YEJYxmXF6YVW7HIWHWmkwgZ2eydGlv3uCVOX5QYtUA60xePmjn3 cDmUcHT76vG/W9VFYex0R4qak6EF2vDr1G4kwuohB4duzNwPLvwuWKtXeh1w0fz7XUuv vSUQ==
MIME-Version: 1.0
X-Received: by 10.152.197.2 with SMTP id iq2mr9620713lac.103.1437056195362; Thu, 16 Jul 2015 07:16:35 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.203.163 with HTTP; Thu, 16 Jul 2015 07:16:35 -0700 (PDT)
Date: Thu, 16 Jul 2015 10:16:35 -0400
X-Google-Sender-Auth: nP22wbWGTm-W7vmWl2fEp8vVYxA
Message-ID: <CAMm+Lwi2+ZqyfJHuTsq4PfwkzgDBxj3a1_M3vX-L1p2Rkyp=KQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="001a11340b060c06ec051afeb8a5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/vbSsgIUOpXU-_LKEkicuf0BMynk>
Cc: Dave Crocker <dcrocker@bbiw.net>, "saag@ietf.org" <saag@ietf.org>
Subject: [saag] Comment on open source Re: keys under doormats: is our doormat ok?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jul 2015 14:16:38 -0000
On Mon, Jul 13, 2015 at 4:11 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Tend to agree. It's also addressing export of course but were any > of the recently mooted government silliness to become real, it'd > also have to involve controls on export/import as well as on usage > so that part of the analysis is actually still relevant I figure. > (There'd be an even bigger and even sillier impact on open source > the importance of which is nowadays probably better appreciated.) > I don't think it is the importance of open source in general that has changed. The difference is that the portion of the stack where the crypto usually lives is no longer the portion that is proprietary and competitive. Even the commercial applications are based on code which is open source. Microsoft just put the whole of the .NET framework up on github under an MIT license. Managing a computer in a way that provides sufficient security to protect my stuff is fairly straightforward. Managing a computer in a way that provides sufficient security for other people's stuff is very hard. There is liability to be considered. There have to be audits. The best way to design a system therefore is to avoid becoming a trusted service if at all possible and limit the degree of trust other parties have to put on your system. The fatal flaw with mandated lawful access is that the only way I can design a system that allows me to guarantee access for Mr Plod or Mr Spook is by designing the system in a way that allows my own employees to perform similar abuse.
- [saag] Comment on open source Re: keys under door… Phillip Hallam-Baker
- Re: [saag] keys under doormats: is our doormat ok? Henry B (Hank) Hotz, CISSP
- Re: [saag] keys under doormats: is our doormat ok? Yoav Nir