As you wrote already on your blog post : allowing for everything is just dumb, so I do not really understand why all of your cases that you presented allow user to do anything and everything.
To shorten it, let’s establish a short glossary:
CA – crypto agility
First, let’s separate the concerns – language is abstract, design is abstract, we are talking not about specific implementations like JWT, SSH or anything – we are talking about CA as a concept. There are better and better and worse implementation out there and very different usages depending on application.
CA does not state anywhere that you have to have a. backward compatibility and b. to be able to switch to anything anywhere – those are implementation-specific, and again you are saying that the concept itself is broken. This is False Attribution Fallacy,
padding, oracle, and downgrade attacks, are also, implementation specific to the code, usage and application, Again, False Attribution Fallacy,
the post is clearly made from the web-developer perspective, but talks about the general concept and its usage. You are not considering different usages that already exists and focusing mostly on the narrow, specialized usage (tiny slice of networking applications). This is Packaged Deal Fallacy.
allowing for everything is just dumb, so I do not really understand why all of your cases that you presented allow user to do anything and everything.
Because every implementation of a design that prioritized Crypto Agility inevitably fucked up in exactly this way.
Real world cryptography is messy and full of mistakes.
This is Packaged Deal Fallacy.
I blog as my fursona, which I keep totally separate from my legal identity as much as reasonably possible.
Most of the real world examples I could point to for why agility fails are under my legal name, and also restricted by NDA. This forces me to take some liberties in how I write.
If you want to cross examine my experience (without forcing me to put myself in a legally precarious situation), simply ask other cryptography/security experts if their experience matches mine. Preferably one that you’re paying for their time, so that their incentives are aligned with your interests, not mine.
Every solution that avoided the “allow everything stupid” pitfalls began with the premise of not doing Crypto Agility (i.e. WireGuard), or only doing minimal Crypto Agility (i.e. PASETO).
I blog as my fursona, which I keep totally separate from my legal identity as much as reasonably possible.
I do not care. Honestly, I’m not concerned with your social interactions. IMO, At the very moment you mix those things into discussion about the technology, which is ruled by specifications, RFCs, and is known for being precise, the strength of your arguments falls to the ground. I would also advise not to bring lawyers, sociology, gender, religious or political beliefs, race, or other non-technical things to the technical discussion; since those are both confusing to the readers and brings nothing to the table – just a free tip for the future.
Because every implementation of a design that prioritized Crypto Agility inevitably fucked up in exactly this way.
Real world cryptography is messy and full of mistakes.
Does every implementation have done it? Mine was fine, it had no such problems that you mentioned? Was it good? fuck no – but does that mean that you saw what I wrote? Does that mean that you saw everything other people wrote? Are you saying you are an all-knowing being from another dimension, granting us your wisdom?
You clearly said that all CA is wrong, but you do not know all the applications of it. Moreover, your core understanding of CA is very wrong. I wrote about that before.
Most of the real world examples I could point to for why agility fails are under my legal name, and also restricted by NDA. This forces me to take some liberties in how I write
To me, a sentence
"i took some liberties to how i write"
sounds like a fancy version of
"i lied and/or overcolorized what i wrote, whatyougonadoabboutit".
It’s like saying
“oh no your honor, i did not kill the man, i barely depraved him of oxygen in the mixture of air he was breathing, but I clearly stated by my actions he was not at liberty to use.”;
a.k.a. "a word salad".
Long story short – I am on the other side of the fence. What you are writing is being dishonest to the work i’ve done, and the work of other developers in the field. That’s why I started this discussion.
That is also the reason I postulate that you are deliberately either:
1. pose as someone, you are not,
2. advertising yourself having experience in the field you clearly lack,
3. or deliberately misguiding the audience.
If you are not, then you have my sincerest, apology, but your last comment does not strike me as convincing – at least to this point.
Every solution that avoided the “allow everything stupid” pitfalls began with the premise of not doing Crypto Agility (i.e. WireGuard), or only doing minimal Crypto Agility (i.e. PASETO).
That’s again a lie, so let me rephrase that for you: "Every solution that I know or noticed did that". And that would be a valid statement, and I would totally emphasize with you. But, clearly, the one I was working on didn’t have such problem, and I already wrote why. Allow me to clarify that again, in simpler words, so it will be easier to understand – CA is like a pattern, a tool, let’s say a gun. Some guns are terrible, some are at least okay-ish, but clearly you got a bad one – you cheeped out, it blew your face off, and now you are ranting that all of them are bad. That is a very childish approach.
Conclusion? If you are writing about your experiences, state it as such. Do not discredit or disregard other people’s work. What you wrote is good in theory as a beginning of a debate or a precise and directed rant, but not as an article stating the fact. If for every fallacy you committed I would get a dime, I could buy myself a very good coffee now.
IMO, At the very moment you mix those things into discussion about the technology, which is ruled by specifications, RFCs, and is known for being precise, the strength of your arguments falls to the ground.
Which IETF working group do you think is responsible, exactly, for my personal blog where the article was published?
There are no real “rules” for personal blogs. I write in a conversational English style. I use furry art at my discretion to punctuate my points. Some people dislike it. I simply increase the amount of furry art I use when people complain.
I would also advise not to bring lawyers, sociology, gender, religious or political beliefs, race, or other non-technical things to the technical discussion; since those are both confusing to the readers and brings nothing to the table – just a free tip for the future.
This is a lot of unsolicited advice from someone who doesn’t care.
I’m not going to bother reading the rest of your comment. You should familiarize yourself with the Lobsters rules. We strive to be more positive and constructive than HN or Reddit here.
Also, if you think your implementation is special and perfect, at least have the decency to drop a link to the source code so it can be critiqued.
As you wrote already on your blog post : allowing for everything is just dumb, so I do not really understand why all of your cases that you presented allow user to do anything and everything.
To shorten it, let’s establish a short glossary: CA – crypto agility
First, let’s separate the concerns – language is abstract, design is abstract, we are talking not about specific implementations like JWT, SSH or anything – we are talking about CA as a concept. There are better and better and worse implementation out there and very different usages depending on application.
Because every implementation of a design that prioritized Crypto Agility inevitably fucked up in exactly this way.
Real world cryptography is messy and full of mistakes.
I blog as my fursona, which I keep totally separate from my legal identity as much as reasonably possible.
Most of the real world examples I could point to for why agility fails are under my legal name, and also restricted by NDA. This forces me to take some liberties in how I write.
If you want to cross examine my experience (without forcing me to put myself in a legally precarious situation), simply ask other cryptography/security experts if their experience matches mine. Preferably one that you’re paying for their time, so that their incentives are aligned with your interests, not mine.
Every solution that avoided the “allow everything stupid” pitfalls began with the premise of not doing Crypto Agility (i.e. WireGuard), or only doing minimal Crypto Agility (i.e. PASETO).
I do not care. Honestly, I’m not concerned with your social interactions. IMO, At the very moment you mix those things into discussion about the technology, which is ruled by specifications, RFCs, and is known for being precise, the strength of your arguments falls to the ground. I would also advise not to bring lawyers, sociology, gender, religious or political beliefs, race, or other non-technical things to the technical discussion; since those are both confusing to the readers and brings nothing to the table – just a free tip for the future.
Does every implementation have done it? Mine was fine, it had no such problems that you mentioned? Was it good? fuck no – but does that mean that you saw what I wrote? Does that mean that you saw everything other people wrote? Are you saying you are an all-knowing being from another dimension, granting us your wisdom?
You clearly said that all CA is wrong, but you do not know all the applications of it. Moreover, your core understanding of CA is very wrong. I wrote about that before.
To me, a sentence
sounds like a fancy version of
It’s like saying
a.k.a.
"a word salad".Long story short – I am on the other side of the fence. What you are writing is being dishonest to the work i’ve done, and the work of other developers in the field. That’s why I started this discussion.
That is also the reason I postulate that you are deliberately either:
If you are not, then you have my sincerest, apology, but your last comment does not strike me as convincing – at least to this point.
That’s again a lie, so let me rephrase that for you:
"Every solution that I know or noticed did that". And that would be a valid statement, and I would totally emphasize with you. But, clearly, the one I was working on didn’t have such problem, and I already wrote why. Allow me to clarify that again, in simpler words, so it will be easier to understand – CA is like a pattern, a tool, let’s say a gun. Some guns are terrible, some are at least okay-ish, but clearly you got a bad one – you cheeped out, it blew your face off, and now you are ranting that all of them are bad. That is a very childish approach.Conclusion? If you are writing about your experiences, state it as such. Do not discredit or disregard other people’s work. What you wrote is good in theory as a beginning of a debate or a precise and directed rant, but not as an article stating the fact. If for every fallacy you committed I would get a dime, I could buy myself a very good coffee now.
“I created an account just to comment on this post on Hacker News, and then created a Lobsters account less than an hour later to post a negative comment here too” - Someone who doesn’t care, apparently
Which IETF working group do you think is responsible, exactly, for my personal blog where the article was published?
There are no real “rules” for personal blogs. I write in a conversational English style. I use furry art at my discretion to punctuate my points. Some people dislike it. I simply increase the amount of furry art I use when people complain.
This is a lot of unsolicited advice from someone who doesn’t care.
I’m not going to bother reading the rest of your comment. You should familiarize yourself with the Lobsters rules. We strive to be more positive and constructive than HN or Reddit here.
Also, if you think your implementation is special and perfect, at least have the decency to drop a link to the source code so it can be critiqued.