- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Thu, 9 Mar 2023 11:08:14 -0500
- To: Christopher Allen <ChristopherA@lifewithalacrity.com>
- Cc: Tomislav Markovski <tomislav@trinsic.id>, Markus Sabadello <markus@danubetech.com>, Orie Steele <orie@transmute.industries>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>, silverpill@firemail.cc
On Tue, Mar 7, 2023 at 10:02 PM Christopher Allen <ChristopherA@lifewithalacrity.com> wrote: > https://www.blockchaincommons.com/musings/musings-agility/ Christopher, excellent article! I hope that members of these mailing lists take the time to read it. To your point: Sadly, and too often, people believe that the individuals working on these cryptographic security specifications at IETF, W3C, and ISO do more due diligence on these standards, or are far more sure of the design over time, than they actually are. Especially developers that are not involved in the process. Every version 1.x standard is an experiment to a certain degree. Sure, we incubate them and do multiple implementations and pour over the minutiae of the specification text, but once they're deployed into the wild, they take on a life of their own. Algorithmic agility, for all the hopes that were placed into it in the late 90s and early 2000s, just hasn't worked out, yet is it just accepted by some as a "best practice", when the non-trivial amount of CVEs show a different story. There is a certain aspect of "deference to authority" here that's also harmful to the security community. Developers are told not to roll their own crypto (which they shouldn't do) and "listen to the IETF CFRG" (which they should do), but the secondary consequence to that is that it's highly unpopular to question whether some of the decisions made in the late 90s have a place in cryptography and security today. Your article clearly calls out one of these highly problematic myths -- that "algorithmic agility is a good thing", and cites multiple practicing cryptography and security experts (at IETF and elsewhere) that have been speaking out against the "algorithmic agility" myth for the better part of the last decade. Thanks for writing the article, and adding to the list of writing that is speaking out against unfettered algorithmic agility. It helps those of us that are trying to design security solutions for a modern landscape. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. News: Digital Bazaar Announces New Case Studies (2021) https://www.digitalbazaar.com/
Received on Thursday, 9 March 2023 16:09:03 UTC