[liberationtech] W3C WebCrypto Last Call for Comments *today*

[Anders Rundgren]

On 2014-05-28 16:55, Ryan Sleevi wrote:
> Again removing public-webcrypto-comments.

Yes, I forgot to mention that standardization efforts have nothing
to do with Democracy, Free speech, Level playing fields, or a
Quest for the best possible solution...

It is only about playing hard-ball, hallway lobbying and general
disrespect for small entities.

http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0038.html

A part of the game is also to be completely uninterested in evaluating
alternative solutions to a problem.

Anders

>
> On May 28, 2014 7:33 AM, "Anders Rundgren" <anders.rundgren.net at gmail.com <mailto:anders.rundgren.net at gmail.com>> wrote:
>
>     I don't have much to offer regarding the algorithm issues but I believe
>     my 15Y+ with (mainly unsuccessful) security standardization efforts
>     have given me at least a perspective on this.
>
>     There are no entirely objective and honest persons around.
>     We all have something to defend like "professional relevance",
>     our employer's legacy systems, and last but not least our egos.
>
>     The W3C also have another objective: keeping their big members
>     happy since they pay their salaries.
>
>     In addition, people have rather different personalities making
>     it hard getting a reasonable climate for open discussions.
>
>     I once complained to Linus Torvalds that Linux lacked cryptographic
>     architecture and he said he had given up on that since security-
>     people never agree on anything.  I think he is right :-(
>
>     Anders
>
>
>     On 2014-05-28 15:28, carlo von lynX wrote:
>
>         Sorry libtech, some of the in-between mails were not forwarded
>         to you.
>
>         On Wed, May 28, 2014 at 02:21:55PM +0200, Anders Rundgren wrote:
>
>             Asking for "consensus" on anything security-ish under these
>             circumstances is simply put impossible.
>
>
>         That's because you can't build consensus if some participants
>         have an interest on dominating over others. The method of
>         consensus requires the group to remove such elements in order
>         to be able to work out a consensus which is best for the group -
>         and in this case the consensus must be privacy for humanity,
>         not security business models for companies or obligations to
>         their respective governments.
>
>         So the mistake in the method you are applying is well-researched
>         and has an answer. Issues concerning basic constitutional rights
>         of citizen must not be defined by a standards body open to
>         entities and elements with incompatible interests.
>
>         Thus, Webcrypto CANNOT be reasonably be brought forward by
>         either W3C or IETF.  q.e.d.
>
>             Following the logic in your reasoning, you should list all the
>             algorithms that should be deprecated.  I'm not a cryptographer
>             but I'm quite familiar with security protocols and that's where
>             things go really wrong.  If you take a peek in the IETF-TLS
>             list you will get an idea of the complexity building secure
>             protocols.
>
>
>         That is a fallacy. Negotation is a bug. GNUnet comes with one
>         wise choice of a cipher. Should a sufficiently relevant new
>         cipher be invented, GNUnet will have a transition period -
>         but that's it. No backwards compatibility humbug forever.
>
>             BTW, I'm not a member of the WebCrypto WG but I mentally support
>             the work anyway.  If somebody comes up with a better mousetrap
>             I don't think anybody will object :-)
>
>
>         That's why you are perpetuating this debate which is VERY
>         much not in the interests of the W3C members. I like it.
>         Thank you for letting Eleanor's and my voice be heard.
>
>             There were requests fora high-level API that would hide the
>             complexity as well as always using the "best" algorithms.
>
>
>         Oh that's easy.. you can look at NaCl or EthOS for inspiration.
>
>             It was rejected and IMO on correct grounds because there
>             would be endless discussions on how such a thing would work
>             and in the end nobody would be happy anyway.
>
>
>         It is totally among the duties of the advanced lobbyist to
>         know how to gently and delicately break consensus processes.
>         Of course a consensus could be found, but only among honest
>         participants. If you weren't successful, this is by today's
>         knowledge on democracy research a proof that your work has
>         been undermined by at least one participant who had no
>         interest in achieving consensus.
>
>         Or did you expect secret services would walk into the
>         working group meetings armed with machine guns and coerce
>         everyone into stopping to work on reasonable crypto
>         technologies for the masses?
>
>
>
>