On Tue, May 17, 2016 at 08:04:17PM -0400, Phillip Hallam-Baker wrote: > Crypto doesn't actually solve any of your security problems. Not one, > zilch, zero. > > What cryptography does is to reduce the size of your information security > problem. It can reduce it in size from megabytes or even terrabytes to a > 128 bit key or deciding whether or not to trust one of millions of Web > sites to whether or not to trust the 50 WebPKI CAs (or ICANN if you are > feeling really brave). But that is all cryptography does for you. It > reduces the size of your security problem. > > You still have to work out how to keep that key secure or make sure you > have the right trust anchor. Reducing problems in size is good but you > still have to solve them. Yes, indeed. However, you can make HW that protects a small secret like that really well, and that's what the dust up between the FBI and Apple was about. It turns out that Apple can make that HW even better, and they even might. The better that piece of hardware, the more expensive to defeat it, the less likely it is that it will be defeated by criminals -- and tyrants, but also legitimate state actors; HW and SW doesn't know the difference. Now, of course *convenience* is the achilles heel of any plan to secure even a small secret. Thus we see courts demanding that people unlock their mobile devices (and why should this surprise anyone? there's nothing special about crypto in this regard). But dead people don't care about convenience, which is how one murderous terrorist bastard managed to single-handedly greatly increase the tempo of the current crypto war. One wonders whether that was their plan! The important thing is to provide a clear and correct understanding of the issues to the bureaucrats and politicians, and also of the trade-offs implied by any proposed policy. And the public too (but that's much harder). Nico --