Status of Cryptography Research in implementation of the EUCD

[Owen Lewis]

> -----Original Message-----
> From: ukcrypto-admin@chiark.greenend.org.uk
> [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Graham
> Sent: 15 August 2002 15:37
> To: ukcrypto@chiark.greenend.org.uk
> Subject: Re: Status of Cryptography Research in implementation of the
> EUCD
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thursday 15 Aug 2002 11:43 am, Owen Lewis wrote:
>
> > If I lease you an idea implemented in some fashion that makes it
> > capable of practical use, I need protection for my idea so that I may
> > also sell it to others but you may not do likewise. After all, I only
> > charged you for use of my idea by one person and not 100,000. Since
> > my idea will have cost me a 6/7/8/9 figure sum to conceive and bring
> > to the point of reliable practical application, I can only do such
> > work if I make a large number of sales and, like everyone else, I
> > look to the law to help me in preventing thieves diminishing the
> > worth of my investment by stealing profits from it for themselves.
> >
> >
> > The next complaint one often hears is that the profits are so
> > 'obscene' as to be immoral in themselves and should not be supported
> > by IP law. The truth is that profit is the reward for risk. The
> > inventor or the company who funds and inventor) takes risks that the
> > man in the street would never take (otherwise he would have become an
> > inventor or inventor backer).
>
> I'm sorry, but I do not agree with you; you are entitled to your
> opinion, but "closed box" software when implementing ideas just does
> not work.  There is no way of eliminating bugs unless the user base is
> big enough to use the source code freely, amend it, and make it better
> and more efficient.

Well, you are right. We do not agree. I point only to the success of 'closed
box' software, large and small, and rest my case.

> Cryptographic software could never have the degree
> of trust that it needs unless it was available (in algorithm and source
> code) for peer review, including the algorithms adopted by it and not
> just the code.  And that can only happen if every user is free to adapt
> the software in any way they wish, as long as they pass it on to others
> on the same terms.

If a cryptosystem is for use by the general public, then you are right,
though peer group examination can never be a guarantee of 100% quality.

If a cryptosystem is expertly developed within and is solely for deployment
within a closed group (such as a national government's departments) for high
grade work  then be very sure that the system will be 'closed box' and the
'open source community' may never even so much as know its name.

From first principles and assuming no special access. How many UKG ciphers
can you name that have been used in the last 50 years? How many of those you
can name are in current use?

> And business likes this.  That's because they can maintain their
> software, and adopt it to their own specific needs, because the source
> is available.

Crypto security is more complex than you suggest. It is more that simply
ensuring that cipher X is strong it is about ensuring that the manner in
which all parts of the implementation, management and use of X are similarly
strong to the cipher itself. Businesses simply do not have the requisite
expertise to fiddle about and to truly understand the full measure of their
fiddling (though we all know IT dept managers arrogant enough to claim
otherwise).

And if I, as a home user, can't use the home computer I
> have legally bought in any way I want for any legal purpose because of
> a user agreement that forbids the way I use the software, it is immoral
> and should be illegal.

You did not have to buy it if you did not like the terms. Buy someone else's
product or make your own. It really is that simple.

Owen