Adam Back wrote:
Mr Johnny Come Lately writes:
Adam, in future please spare me your warrantless insults. Thanks.
Having said that I do question whether take-up of free crypto components by commercial companies genuinely results in "strong cryptographic products". I'm not meaning to denigrate Eric's work in any way, but in my experience the likes of SSLeay is very often shovelled into products by companies who don't understand crypto, don't understand SSL, and barely understand SSLeay. Even those who do understand what they are doing are typically working "on Internet time". Certainly merely linking to SSLeay does NOT result in a "strong cryptographic product", not by any stretch of the imagination.
Let me clue you in here: you are talking to the Caped Green one, who currently is working for C2Net, which just happens to be selling Stronghold, a commercial version of Apache, which is the most widely used secure web server in the world. Guess what: Apache uses SSLeay, and Stronghold also inherits this.
I'm familiar with C2Net. If Stronghold is any good, that is because C2net and/or the Apache team know what they are doing, not just because they picked up a free SSL library on the net. It's easy to build insecure products on good crypto, and many other companies are busy doing just that. In fact, it's funny that you tout a "secure web server" as "strong crypto" since in that context SSL is usually vulnerable to being end-run by web spoofing. Oops. Oh well, it uses strong crypto, so it must be good.
The bottom line is that GNU-licensing is more restrictive than BSD/SSLeay-style licensing. Hence identical freeware will see less deployment under GNU than under BSD.
Cyphpunks believe that more strong crypto is better.
Well then, "Cypherpunks write code". Wide deployment of crypto components in closed-source programs (especially by cluebags) is neither necessary nor sufficient to achieve "more strong crypto" in the sense that Cypherpunks mean it, in my opinion. (Yes, it's better than nothing, but not much better.)
What sense do cypherpunks mean strong crypto in then? Perhaps you could educate us?
They mean lots of crypto out there firstly, so that the when the government tries the next GAK initiative the government has less chance of pushing it through, as more people know what crypto is, and understand how outrageous mandatory domestic GAK is. Secondly they mean strong crypto, as in full key strengths, and no flaws. But mainly their interest in deploying strong crypto by whatever means available (commercial, freeware, or whatever) for a purpose: to undermine the power of the state, to allow people to go about the business unhindered by the state.
Then I guess you agree that closed-source deployment is neither necessary nor sufficient to achieve "strong crypto". Not really sure why you're arguing in that case.
Cypherpunks also get involved in breaking crypto, and this is usually enough to get massively commercially deployed strong crypto with unintentional flaws converted quickly into massively deployed crypto without the flaws. eg. Netscape's random number generator weakness, which netscape fixed immediately.
That's condescending and irrelevant. Did anyone ever fix web spoofing?
The conclusion in the GNU vs. BSD/SSLeay/etc. license debate should be clear.
Well, it clearly isn't, as evidenced by the large number of fairly bright people arguing about it. :)
It's clear to pretty much all the cypherpunks I've seen contribute to the thread, Eric, Perry, Adam Shostack, Jim McCoy, Bruce Schneier. Probably there were some others who contributed to the thread also.
You don't get it, but then have you ever written any crypto code with the objective of undermining the power of the state? Is this your aim in writing your open source application code that you name dropped?
Yes, and yes. (I don't think you understand the term "name dropped" btw. But given the name-dropping and appeal-to-authority tone of your whole post, I wonder if you understand the term "irony"). Cheers, Frank O'Dwyer.