[Cryptography] FW: IAB Statement on Internet Confidentiality

Nadine Earnshaw nadine at iinet.net.au
Wed Nov 19 18:34:09 PST 2014 

 
this is how I hope CA will be replaced

https://eprint.iacrorg/2013/622.pdf

----- Original Message -----
From: "grarpamp" 
To:
Cc:
Sent:Wed, 19 Nov 2014 20:17:42 -0500
Subject:Re: [Cryptography] FW: IAB Statement on Internet
Confidentiality

 >>> IAB Statement on Internet Confidentiality
 >>> Encryption should be authenticated where possible, but even
protocols
 >>> providing confidentiality without authentication are useful in
the
 >>> face of pervasive surveillance as described in RFC 7258.
 >>> https://tools.ietf.org/html/rfc7258

 >> Alex:
 >> On a more serious note, the IAB statement below opens up a whole
 >> can of worms. You can't [...]

 >> [... cants, buts, excuses, grandmas, future protocols and policy,
 >> stake making and preserving, wimps, legal, etc... on and on...
 >> ad nauseum]

 > Ian / Jay:
 > Wot? I encrypt all the time without dealing with legal issues.
 > ...
 > No more free lunches, no more rolling over and playing doggy.
 > ...
 > No, we need not negotiate with ourselves before building and
deploying stuff.
 > https://www.fourmilab.ch/documents/digital-imprimatur/

 Indeed. Many seem to be missing the hidden extension / meaning
 of whitewashed quasi-political statements like those of the IAB
 that are now coming from various entities, and it's a point that
 needs made directly, at least regarding one aspect of things...

 It's not anymore about 'should encrypt by default'... continuing
 to give yourselves the lazy fallback excuse of oppurtunistic crypto
 and waiting for someone else to do it. It's not anymore about asking
 your masters for permission to do what is not regulated today, or
 giving them seats and chance to muddle / dictate your protocols
 before they're developed / deployed.

 It's about 'must encrypt' and turning plaintext completely off NOW!
 It's about telling all the lazy oppurtunistic fiber tapping passive
 surveillors, (who are today breaking fundamental inalienable human
 rights not just regulations, and without asking first)... to FUCK
 OFF! This is not a time to play nice and compromise... it's war,
 one which they started against you. So deploy your crypto now, far
 and wide, and faster than the enemy can respond. Mass internet
 entrenchment has a winning history against subsequent fiat.

 We won the first crypto war, now it's time to win the second one.
 Flip the crypto switch, from off to on. Don't ask, don't tell, just
 do it.

 Mail providers and web services... turn plaintext off!
 Banks, schools, utilities, blogs, socialnets, OS distributions,
 user applications... the public facing, used by the public, whole
 lot of you... everyone, everywhere... just turn plaintext off!
 All plaintext transports over the internet... OFF!

 Even decentralized P2P applications such as chat / filesharing apps
 that wish no model using CA certs, can still enforce crypto by
 skipping cert checking under self-signed certs or using [EC]DHE
 style crypto session negotiation.

 There's no lack of capability or support among all these internet
 facing services and apps used by the general public anymore. Every
 OS / library can deal with TLS 1.0+ or key negotiation for that.
 And you don't need some grand crypto scheme that you all love to
 pontificate in endless circles about right now either. Just turn
 the damn plaintext OFF and tell everyone to go read the FAQ and
 update their end if they can't connect. Then worry about your pie
 in the sky later. It doesn't have to be perfect, all you need to
 do is shift the game from taking cheap passive global wire
surveillance
 up the ass, to requiring more expensive targeted active attacks.
 Simply turning off the plaintext does that, it's a huge win!
 https://en.wikipedia.org/wiki/Transport_Layer_Security#Applications_and_adoption

 And while you're at it, set up a nonprofit CA foundation to issue
 free certs and get it added to the Mozilla and MS cert stores
 specifically for the purpose of accomplishing 'plaintext off'. CA's
 are useless profiteers who couldn't authenticate their own ass as
 customers anyways, and cert stores are uselessly bloated with both
 them and enemy entities... so just give the damn certs away to
 anyone who can publish a proof of ownership flag / TLS cert on the
 forward reference to their own services... simply to quiet
self-signed
 warnings Nice to see something like this just dropped as I write:
 https://letsencrypt.org/

 Pick July 4 2015 as the day to disable plaintext, since by then
 everything worth anything will support TLS 1.2 / good negotiation
 parameters, and it's a fitting meme.

 And if you don't like that flag, hoist another one...
 https://en.wikipedia.org/wiki/International_Talk_Like_a_Pirate_Day

 Now quit reading, making excuses and waiting... the enemy will just
 stomp all over your flag. Go get started on your code, updates and
 crypto configs... you've got a flag day to make.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 5998 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20141120/22e56aae/attachment-0001.txt>

More information about the cypherpunks mailing list