Status of Cryptography Research in implementation of the EUCD

Ian Miller Ian_Miller at singularis.ltd.uk
Sat, 17 Aug 2002 10:07:37 +0100 

At 13:02 +0100 16/8/02, Owen Lewis wrote:
>> -----Original Message-----
>> From: ukcrypto-admin@chiark.greenend.org.uk
>> [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Ian Miller
>> Sent: 15 August 2002 22:33

>> The question is whether the public
>> relying on the security products will have access to same information.
>> Responsible researchers telling the supplier first and then, after a
>> suitable delay, going public are doing a public service.  They should be
>> encouraged, not out-lawed.
>
>That is one way of looking at it. Not all act as you say.
>
Then perhaps we should have laws requiring them to.  That, as I was already
said, would be entirely reasonable.  Permanent gagging isn't.

>Yet once again, the harm lies not in discovery of a method of circumvention
>(etc) but in its publication or in its direct application, by the discover
>in person or, equally, by others who have read his publication. Telling the
>manufacturer in the first instance is courteous but will often be
>insufficient to prevent harm by the subsequent publication. For harm to
>surely avoided, publication would need to be delayed unit its content
>retained only academic interest and had lost all commercial value for
>criminal purposes. That piece of string may be longer or shorter. It may
>sometimes be very long indeed.
>
Still consider you are taking a very unbalanced view, considering the
system's owner's rights before all others.  Had there been the legal power
to suppress information about weaknesses in the past, then a number of
innocent persons would have been convinced of fraud over 'phantom
withdrawals' from ATMs.

You are right that obscurity can be useful in security.  However all to
often it is useful not in preventing security breachs but in off loading
the liability onto someone else.

Ian

--
Singularis Ltd, 32 Stockwell St, Cambridge, CB1 3ND
Tel:  +44 1223 525088	            Mobile: +44 777 5536663
Fax:  +44 870 0514333	 (e-mail preferred to Fax)