Nicolas Williams wrote:
On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote:
Given this, the real question is, /"Quis custodiet ipsos custodes?"/
Putting aside the fact that cryptographers aren't custodians of
anything, it's all about social institutions.
Well, I wouldn't say they aren't custodians. Perhaps not in the
sense that the word is commonly used, but most certainly in the
sense custodians of the wisdom used to make the choices. This is
exemplified by Bruce Schneier, an "acknowledged expert," changing
his mind about the way to do security from "encrypt everything" to
"monitor everything." Yes, I have simplified his stance, but just to
make the point that even experts learn and change over time.
There are well-attended conferences, papers published online and in many
journals, etcetera. So it's not so difficult for people who don't know
anything about security and crypto to eventually figure out who does, in
the process also learning who else knows who the experts are.
Actually I think it is just about as difficult to tell who is a
trustworthy expert in the field of cryptography as it is in any
field of science or medicine. Just look at the junk science and
medical studies. One retrospective study of 90+ clinical trials
found that over 600 potentially important reaction to the drugs
occurred but only 39 were reported in the papers. I suspect if we
did the same sort of retrospective study for cryptography we would
find some similar issues, just, perhaps, not as large because there
is not as much money to be made with junk cryptography as junk
pharmaceuticals.
For example, in the IETF there's an institutional structure that makes
finding out who to ask relatively simple. Large corporations tend to
have some experts in house, even if they are only expert in finding the
real experts.
We (society) have new experts joining the field, with very low barriers
to entry (financial and political barriers to entry are minimal -- it's
all about brain power), and diversity amongst the existing experts.
There's no major personal gain to be had, besides fame, and too much
diversity and openness for anyone to have a prayer of manipulating the
field undetected for too long.
I'm curious, how does software get sold for so long that is clearly
weak or broken? Detected, yes, but still sold like Windows LANMAN
backward compatibility.
When it comes to expertise in crypto, Quis custodiet ipsos custodes
seems like a relatively simple problem. I'm sure it's much, much more
difficult a problem for, say, police departments, financial
organizations, intelligence organizations, etc...
Well, Nico, this is where I diverge from your view. It is the
"police departments, financial organizations, intelligence
organizations, etc..." who deploy the cryptography. Why should they
be able to do that any better than they do anything else? I suspect
that a weakness in oversight in one area is likely to reflect a
weakness in others as well. Not total failure, just not done the
best possible.
Best,
Allen
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
