the sad state of cryptographic infrastructure, 17 May 2012

I've been looking at ssh and IPsec again and it's made me realise again that we (in the computing field) have made a mess of the artifacts of cryptography and it's entirely our own fault. Starting from goals such as privacy and authentication of communication, we have taken aim at our feet and fired with PGP is a sad example: by changing key formats and algorithms repeatedly (sometimes for compelling legal reasons), interoperability is so impaired that you pretty much need to know in advance which version of PGP each recipient uses.

The triumph of ssh v2 (a classic second system) over v1 is another example: whatever the theoretical weaknesses of v1 were, it was surely better to encrypt one's communication than not. We need a v3, a stripped-down and streamlined version closer to v1 than v2.

We seem to be better at building great steaming piles of crypto (e.g., OpenSSL) than getting to the core of what needs to be done and doing just that.


Geoff Collyer
geoff at collyer.net