Nelson wrote: >> For me, the purpose of this debate is finding out what users can expect from >> Mozilla by way of security.
>The answers to that quest probably include these properties: >- open, openly specified, not secret, >- inner workings subjected to public scrutiny. >- security claims independently verifiable >- interoperability with products from other sources is desired, not avoided >- interoperability with products from other sources is based on standards >compliance - not proprietary specifications controlled solely by Mozilla Which we all appericate. >Now, in contrast to that, I have been led to believe that Skype's: >- protocols, security designs and parameters are proprietary, secret, have >not been openly published, and thus not subjected to public scrutiny >- components are all proprietary. Their clients only interoperate with their >servers and their other clients. It's a closed system, as far as I know. - security claims are not independently verifiable by those who have no >economic interest in keeping unfavorable findings secret >I suspect that part of the reason you look so favorably on Skype is >precisely that its security claims have NOT been subjected to public >scrutiny. I think you tend to give them the benefit of a (very large) doubt. >In the absence of published faults in their technology, in your debates >it seems you tend to treat that technology as flawless, which gives them an >advantage that no openly specified system can ever have. >I believe you will not get Mozilla or its community members interested in >developing a solution that requires that >- all clients and all servers come from Mozilla, >- protocol specifications, source code, and other technologies be kept secret >- security claims must be taken on faith. >Consequently, I think there's little to be gained by continuing to hold >Skype up as a shining example in this list/group. So, please don't keep >flogging us with praise for Skype or other systems that are antithetical >to the values of the open-source community. Since I originally brought up Skype as an example, I can unfortunately only reiterate that the open, standards-based, and non-proprietary world have schemes that offer "perfect security" on paper, while their opposites have fully deployed "flawed security" on a truly massive scale. My guess, is that the majority of the market will hook into the latter because they really have no alternative. IF Mozilla and other groups actually wants to "fix" this, they have to come up with something that can be deployed without users becoming security experts. Based on a decade with S/MIME failures, I believe the word "pragmatism" is severely lacking and therefore we get nowhere. One of the ways you could create a generally useful solution (see subject line...) would IMO be to use DNS a key repository like featured in DKIM. But since this is not "perfect" we will rather continue with horrible suff like: http://news.cnet.com/8301-17939_109-10110382-2.html With respect to Skype, there is unfortunately another thing that make prospects for open security messaging look pretty bleak and that is the ability to connect to paid services like Skype-out. This is BTW not too different to PayPal which I guess works so well because it owns the entire customer-base and doesn't have to mess with other competing/collaborating partners. Anders user of flawed security solutions, developer of new concepts _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
