Status of Cryptography Research in implementation of the EUCD

Adrian Midgley midgley at mednetics.org
Wed, 14 Aug 2002 12:10:34 +0000 

On Wednesday 14 August 2002 10:55, you wrote:

> The principle of de minimis (sadly ignored in recent years) should be
> invoked to provide de facto immunity from prosecution for the act of
> research. No such immunity should be extended to the unauthorised
> publication of successful hacks.

Good start, trails off toward the end.
Perhaps there is a need for an _official_ publiction route - whereby in t=
eh=20
interests of the public any notification of a security hole _will_ be=20
published to the public, fairly soon, but the owners or maintainers of th=
e=20
code involved will be notified officially, and an official record kept of=
=20
that notification, while the fan and flinger are winding up.

Otherwise, if for instance a major and financially significant hole in (s=
ay)=20
SSL certificate handling in one or more web-browsers such that a third pa=
rty=20
could get credit card details from users might be dealt with by one suppl=
ier=20
quietly and immediately fixing it and issuing the repaired browser the=20
following day... [1] and by another supplier doing nothing visible,=20
continuing to sell the browser in question as part of a secure ecommerce=20
solution and even preload it on many new PCs, secure in the knowledge tha=
t=20
anyone announcing the fault could have revenge exacted upon them.

[1]  leading of course to the question of what the other suppler, who mig=
ht=20
for instance be a private individual or small group of such rather than a=
n=20
internationally acclaimed and commensurately funded megacorp, would feel =
able=20
to say as an explanation for why there was a sudden new issue, and why pe=
ople=20
should quicklychange to it...?

"there was something wrong with my browser, I can't tell you what it is o=
r=20
why I can't tell you and I can't tell you if it applies to other programs=
=20
although I do know..."

> If the intention was as you believe it to be, then I think that intenti=
on
> was mistaken. Academic freedom (or any other freedom) is laudable, just=
 so
> long as it is not so proudful as to wish to trample into the dust the
> rights of others.

What does one do if one finds the structure of a bridge is such that it i=
s=20
likely to fail in normal use?  Refrain from infringing the rights of the=20
owners to continue profiting from teh tolls, and from their high ehgineer=
ing=20
reputation, or their intellectual propety rights to the design being thou=
ght=20
to be a good one?  I hope not.

--=20
=46rom one of the Linux desktops of Dr Adrian Midgley=20
http://www.defoam.net/            =20