Stephen Farrell: > However, say we're wrong and someone who thinks OS is a waste > of time is actually correct, what would such a person recommend > that we do as well as, or instead of, OS? [BA] It depends on who we are trying to protect, and from what (or whom). If the target is protection of dissidents from oppressive regimes, then you need something much more comprehensive than 'unauthenticated opportunistic encryption" (e.g. along the lines of Tor). If the target is protection against PM within wealthy nations, then you'd need something that can't be rendered harmless by a modest budget increase. A number of MITM protection mechanisms have been suggested (e.g. DANE, channel binding, etc.). Also, in this category should be mechanisms for protecting privacy against private-sector adversaries. As long as private companies can amass huge dociers without resort to PM (or without the need to subvert OS), and are willing to sell that personal information to third parties (dodgy ones, let alone governments), one wonders whether government agencies would make better use of their funds by "buying" surveillance, rather than trying to "build" it. |