Mr Johnny Come Lately writes:
Having said that I do question whether take-up of free crypto components by commercial companies genuinely results in "strong cryptographic products". I'm not meaning to denigrate Eric's work in any way, but in my experience the likes of SSLeay is very often shovelled into products by companies who don't understand crypto, don't understand SSL, and barely understand SSLeay. Even those who do understand what they are doing are typically working "on Internet time". Certainly merely linking to SSLeay does NOT result in a "strong cryptographic product", not by any stretch of the imagination.
Let me clue you in here: you are talking to the Caped Green one, who currently is working for C2Net, which just happens to be selling Stronghold, a commercial version of Apache, which is the most widely used secure web server in the world. Guess what: Apache uses SSLeay, and Stronghold also inherits this. I would also rate the folks at C2Net as pretty crypto clueful, btw. 2nd hint: C2Net is currently employing Eric Young also, and Eric's SSLeay still has the same license.
The bottom line is that GNU-licensing is more restrictive than BSD/SSLeay-style licensing. Hence identical freeware will see less deployment under GNU than under BSD.
Cyphpunks believe that more strong crypto is better.
Well then, "Cypherpunks write code". Wide deployment of crypto components in closed-source programs (especially by cluebags) is neither necessary nor sufficient to achieve "more strong crypto" in the sense that Cypherpunks mean it, in my opinion. (Yes, it's better than nothing, but not much better.)
What sense do cypherpunks mean strong crypto in then? Perhaps you could educate us? They mean lots of crypto out there firstly, so that the when the government tries the next GAK initiative the government has less chance of pushing it through, as more people know what crypto is, and understand how outrageous mandatory domestic GAK is. Secondly they mean strong crypto, as in full key strengths, and no flaws. But mainly their interest in deploying strong crypto by whatever means available (commercial, freeware, or whatever) for a purpose: to undermine the power of the state, to allow people to go about the business unhindered by the state. Cypherpunks also get involved in breaking crypto, and this is usually enough to get massively commercially deployed strong crypto with unintentional flaws converted quickly into massively deployed crypto without the flaws. eg. Netscape's random number generator weakness, which netscape fixed immediately.
The conclusion in the GNU vs. BSD/SSLeay/etc. license debate should be clear.
Well, it clearly isn't, as evidenced by the large number of fairly bright people arguing about it. :)
It's clear to pretty much all the cypherpunks I've seen contribute to the thread, Eric, Perry, Adam Shostack, Jim McCoy, Bruce Schneier. Probably there were some others who contributed to the thread also. You don't get it, but then have you ever written any crypto code with the objective of undermining the power of the state? Is this your aim in writing your open source application code that you name dropped? This is what I meant by my short rant about coderpunks detracting from the cypherpunk objective: siphons off 'punks from cypherpunks into a crypto-politically neutral environment. Then it gets increasingly more crypto-politically neutral subscribers, and anyone reminding or commenting that the original aim of the game was to distribute strong crypto to undermine the state, gets told by the local retro moderators that political stuff isn't welcome. Try reading the cyphernomicon (*), if you haven't. Adam (*) http://www.oberlin.edu/~brchkind/cyphernomicon/