Status of Cryptography Research in implementation of the EUCD

Ian Miller Ian_Miller at singularis.ltd.uk
Thu, 15 Aug 2002 11:00:52 +0100 

At 11:55 +0100 14/8/02, Owen Lewis wrote:
>Let's be clear here. There may be three discrete set of interest. Company
>A's, Dr Y's and those who may protect value for themselves through the use
>under terms of licence of A's copy protection scheme. There is no public
>interest, per se, beyond the patent public good in having laws that punish
>theft or the aiding and abetting of theft.
>
>If Y publishes openly, it can be argued strongly that the only party who
>stands to gain other than thieves is Y and that it is quite wrong that he
>should be allowed to do so at the expense of direct loss caused to others.
>
I disagree.  Another group that gains is any prospective customers of A's
who may be considering relying on the protection of A's algorithm, but
would be much better using an alternative.  Equally in the long term, all
of A's customers may benefit, if it forces A to fix a problem.

The problem with concentration on the rights of owner of the protection
scheme is that it is allows companies to market technically worthless
protection schemes with extravagant claims and gives them the means to
suppress all public criticism of those schemes.  In such an environment
there is comparitively little point in investing money in developing the
technology, rather than paying lawyers to silence your critics.

In short the proposals, as they are, will encourage
security-through-obscurity and an illusion of security rather than the
reality.

I would be all in favour of a regime where all discoverers of weaknesses
(whether or not 'academics') must inform the owner first and give them the
opportunity of fixing the problem and circulating the fix prior to
publication.  However long-term suppression of weaknesses is not in IMO in
the public interest.

My own experience is that faced with valid criticism of protection schemes,
the owners often ignore or deny the existence of the problem[1].  I think
giving this legal protection is a very very bad idea.

Ian

[1]: I spent some months privately trying to persuade the authors of
RFC1858 that their solution was flawed, in the hope that they would publish
a correction.  In the end I gave up and published the problem myself
(RFC3128).

--
Singularis Ltd, 32 Stockwell St, Cambridge, CB1 3ND
Tel:  +44 1223 525088	            Mobile: +44 777 5536663
Fax:  +44 870 0514333	 (e-mail preferred to Fax)