Hi there, >> Knives have their dangers, and the metal-processing industry should not >> be encouraging their widespread adoption. >> >> Funny - that conclusion, which is analogous to yours, doesn't make much >> sense to me. Does it to you? >> >> Encryption is a tool - it's neither good nor bad in itself. What you do >> with it is the question. > > The analogy that come to my mind is not knives, but guns. You're trying to drag me with my knives into a gunfight (pun inevitable). But that won't work: I've chosen the analogy with a bit of care: Knives are easily available to anyone, just like encryption. The distribution of knives can't reasonably be regulated so that they are only available to few sanctioned bodies; they are simple to manufacture, "blueprints" if you think you need some can be found easily, and the raw materials cannot be held away from the public either; they are just too useful for any sort of purposes. The same goes for encryption: anyone with a compiler can implement the publicly available algorithms and manufacture an encrypting/decrypting device of program himself (for you probably "Weapon of Mass Encryption" ;-) [*] ). In fact, it has happened hundreds of times and nobody raises an eyebrow. In both, the product has already proliferated, and it is not possible to roll back to a state where it hasn't. Also, both of those have proven to have both too numerous and unquantifiable good and bad uses, and both of it in scale; there is no obvious, generally-accepted world-wide agreement that either of the two can only be used for nefarious purposes. So, I feel good comparing these two tools. Contrary to that, your comment tries to drag me into comparing encryption with a class of tool (yes, it also is one) which fails comparability to encryption in all the points I made above: Guns are not easily available to anyone. In absolute terms, they *are* though; regulation merely raises the bar to get one. I guess if you really want one, there are plenty of ways getting one illegally in most countries of the world. Otherwise, the terrorists wouldn't have guns, would they? This in itself makes your point below a bit moot: if you'd heavily regulate the use of encryption, it would still keep being available; and with the bar too high for John Does, its use would become common only for those who have something to hide. Guns have not (yet) proliferated; governments try to keep in a state where this doesn't happen. They do struggle with this in the 3D printer age now; it will be interesting to see how they can cope with that step towards proliferation. Guns have a much harder time proving that they have good uses outweighing/getting on par with the bad ones. Encryption has proven its good uses plenty of times; it also has its bad ones, but due its general applicability to any sort of communication on a much more equal scale than guns do. You couldn't even make a point to the contrary: your "argumentation" in your original mail merely managed to point out two singular uses where the use of encryption didn't match your personal point of view of being "good". If the same encryption technology is used by demonstrating masses in totalitarian countries, which enabled them to lead to a revolution towards democracy, your opinion on exactly the same use of technology might have swung around. So, to sum up: encryption is a general-use technology. Your attempt to position it as a threat to society is rather futile. > Many, probably most, countries in the world place quite stringent > restrictions on what their citizens can do in owning or using guns. > Were the UN to produce a convention restricting their use, one country > one vote, I expect that it would be passed with a large majority. The > evil done by terrorists, criminals, evil empires and so on with guns > outweighs the good. > > The technology is neutral; the user of it is evil or not, as the case > may be. > > > If encryption makes terrorism, crime and so on more likely, then we > could see countries impose restrictions on encryption in the same way as > for guns, and a few years down the line, the role of the IETF in > encouraging the use of strong encryption could be seen as a serious > misjudgment, one that is damaging to the standing of the IETF. > > Authentication is fine, in fact I think that it is grossly misunderstood > and underused and does not, as far as I can see, pose a threat; > encryption is a different matter. Now that is really quite a bit short-sighted. Authentication without encryption allows every listener (including those in the perpass sense) to find out who exactly made the statement, with some strong amount of provability. If at the same time banning encryption, this exposes everyone's communication to the world, with no way of provable deniability, and no way of talking in private. This is like a dream for perpass-style attackers. With the kind of statements you made in this thread, I can't help but wonder on whose paycheck you are. I read British Telecom as per your your mail address (and certainly hope that you are not representing company opinion), but can't help think it's "5 Eyes" instead. Greetings, Stefan Winter [*] IETFers should really wear T-Shirts stating "I produce Weapons of Mass Encryption" :-) -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0x8A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature