Status of Cryptography Research in implementation of the EUCD

[Owen Lewis]

> -----Original Message-----
> From: ukcrypto-admin@chiark.greenend.org.uk
> [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Ian Miller
> Sent: 15 August 2002 11:01
> To: ukcrypto@chiark.greenend.org.uk
> Subject: RE: Status of Cryptography Research in implementation of the
> EUCD
>
>
> At 11:55 +0100 14/8/02, Owen Lewis wrote:
> >Let's be clear here. There may be three discrete set of interest. Company
> >A's, Dr Y's and those who may protect value for themselves
> through the use
> >under terms of licence of A's copy protection scheme. There is no public
> >interest, per se, beyond the patent public good in having laws
> that punish
> >theft or the aiding and abetting of theft.
> >
> >If Y publishes openly, it can be argued strongly that the only party who
> >stands to gain other than thieves is Y and that it is quite wrong that he
> >should be allowed to do so at the expense of direct loss caused
> to others.
> >
> I disagree.  Another group that gains is any prospective customers of A's
> who may be considering relying on the protection of A's algorithm, but
> would be much better using an alternative.  Equally in the long term, all
> of A's customers may benefit, if it forces A to fix a problem.

Check earlier exchanges in this thread. The circumstances you describe may,
but do not necessarily pertain. There is no overriding rule.

> The problem with concentration on the rights of owner of the protection
> scheme is that it is allows companies to market technically worthless
> protection schemes with extravagant claims and gives them the means to
> suppress all public criticism of those schemes.  In such an environment
> there is comparatively little point in investing money in developing the
> technology, rather than paying lawyers to silence your critics.

1. Markets are largely self balancing.

2. If the law is a bad tool to redress market balance, vigilantism is surely
worse.

>
> In short the proposals, as they are, will encourage
> security-through-obscurity and an illusion of security rather than the
> reality.

Sigh. As a forty-year practitioner of security in various guises, may I
assure you that, beyond all doubt and argument, there is security to be
obtained from obscurity. What is true is that obscurity is only sufficient
protection in itself where there is not time for a sufficiently prepared
attack i.e. obscurity cannot yet be breached. I say again, absolute security
is a theoretical state and not a practical one. It is not even a desirable
state. What is desirable (and usually obtained by those who know what they
are doing), is sufficient security for the task in hand with a margin to
allow for error in calculating the needs of the task.

> I would be all in favour of a regime where all discoverers of weaknesses
> (whether or not 'academics') must inform the owner first and give them the
> opportunity of fixing the problem and circulating the fix prior to
> publication.  However long-term suppression of weaknesses is not in IMO in
> the public interest.

It may or may not be. There is no proven rule (only assertions) put here. If
you know the rule and can state its proof, I shall listen carefully.