Frank O'Dwyer writes:
I'm familiar with C2Net. If Stronghold is any good, that is because C2net and/or the Apache team know what they are doing, not just because they picked up a free SSL library on the net. It's easy to build insecure products on good crypto, and many other companies are busy doing just that.
Perry recently posted a summary of his views on the appropriateness of GPL vs BSD vs other licenses for achieving various aims, "free software" under the GNU meaning, vs crypto software deployment. I found Perrys summary to be the clearest on the topic so far. You appear to be arguing with another aim in mind. You seem to be arguing that the primary goal should be to have best security, from the outset. ie one gets the impression from reading your previous two posts that you consider ultimate security more important than deployment. If this is what you are saying, I disagree. As I argued further down, I think cypherpunk type goals are better met my getting people to deploy first, then if they bodge it to encourage them to fix it, and I gave the example of the Netscape RNG weakness which was very quicly fixed once it was found:
Cypherpunks also get involved in breaking crypto, and this is usually enough to get massively commercially deployed strong crypto with unintentional flaws converted quickly into massively deployed crypto without the flaws. eg. Netscape's random number generator weakness, which netscape fixed immediately.
That's condescending and irrelevant. Did anyone ever fix web spoofing?
Which is not in the least condescending or irrelevant as it gives an example showing that having what turns out to be less than perfect security can be fairly quickly remedied. And security is hard, even competent people make mistakes. The important thing is to admit and quickly fix such mistakes. I've taken your comments on web spoofing to another post.
Then I guess you agree that closed-source deployment is neither necessary nor sufficient to achieve "strong crypto". Not really sure why you're arguing in that case.
I don't think anyone suggesed that closed source deployment was in anyway better than open source, and obviously open source is better for verifying the quality of crypto software. However, as was previously suggested, if deployment is the goal, and if one uses for example a GNU license it tends to discourage commercial (typically closed source) deployers, and as Lucky said: : Many companies will not be able to source contaminated by GNU-style : licensing restrictions. Consequently, alternatives would be : found. Some of those alternatives, include using no crypto at all or : using crypto written by somebody that does not understand : crytography. Hardly the outcome a Cypherpunk would desire. And I think at this stage something is vastly better than nothing.
You don't get it, but then have you ever written any crypto code with the objective of undermining the power of the state? Is this your aim in writing your open source application code that you name dropped?
Yes, and yes.
Cool, what application area are these in? Got a URL?
(I don't think you understand the term "name dropped" btw.
Just a comment on the Rick Smith (of Secure Computing) syndrome (read crytopgraphy list you'll know about the book he wrote, because every other post he makes involves it). Perhaps not appropriate in your case, but if people mention software, it is nice to know some details: why should we be interested in your software etc.
But given the name-dropping and appeal-to-authority tone of your whole post, I wonder if you understand the term "irony").
Irony? Your post was intended to be ironic? What is ironic about arguing that first cut security is more important than deployment? This is cypherpunks, people tend to speak their mind, and usually aren't too delicate about it -- welcome to the cypherpunks list. Adam -- print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`