Hacker News new | past | comments | ask | show | jobs | submit login

How will regulation take care of bad crypto? Even experts get it wrong with some regularity (of course not as often as noobs, but still).



The problem with regulation is that one must first establish who is capable of regulating correctly. There's no such thing as abstract regulation that simply exists.

The entities that would most likely do the regulating already exist, but I'm unconvinced any of them would actually improve the situation. For instance, see http://blog.cr.yp.to/20140411-nist.html . What real group of people could really regulate cryptography? What real group of people's regulations could actually bring benefits to the field, rather than rubber stamping, government meddling for the NSA, and an emphasis on quantity over quantity?

If you can't answer that, I'd suggest staying away from a reflexive "regulation" standpoint.


I failed to express myself well. I'm not suggesting that all crypto is immediately regulated, that is completely infeasible. I'm just point out that regulation in general, over all domains, isn't inherently bad.

There is actually some regulation in this space. FIPS compliance, PCI DSS etc.. It's just not as wide reaching as something like the FAA for aeroplanes.


The FAA, NTSB, and aerospace industry do an effective job of solving problems and taking concrete steps to prevent disasters from happening again. The industry is economically motivated to do so, and those in power want to fly safe, so things get done.

The programming field just keeps making the same old mistakes again and again. We're even economically motivated to keep things this way, because we get paid to fix things when they go wrong. Roads in Germany come with a warranty, so the contractors make sure to build them correctly. Roads in the US and Italy keep getting fixed, because that's how those companies get paid.


"I'm just point out that regulation in general, over all domains, isn't inherently bad."

Very few people seriously argue that. (Non-zero, but very few.) I'm a libertarian and I wouldn't seriously argue that. It's mostly a strawman. (I advise anyone who makes routine use of that strawman to stop, and read more carefully whenever they feel tempted to use it again, but that's another post.)

My point is that we aren't talking about "regulation in general", we're talking about "regulation in cryptography", and it's a logical and/or cognitive error to fall back to a general case when one is trying to consider a specific case. If we're going to regulate cryptography, how are we going to regulate it? "In the general case regulators" don't exist. The closest entities we have now that would almost certainly become the regulators show few to no signs of being worthy of the task. This is a serious problem to be addressed without falling back to "general cases".




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: