I don't think it is helpful to use pejorative language in technical discussions. A backdoor is by definition secret to the party being observed.
We went through this whole mess with key escrow which people treated as the spawn of Satan and as a result, we have no viable standard for securing data at rest because if you are going to encrypt valuable data, being absolutely sure you can decrypt it if required is actually a much bigger concern than disclosure. I did develop a mechanism that allows for verifiable selective access which Comodo may or may not be applying for a patent on. Dan Harkins also has work in that area. The reason that I didn't raise them earlier is that my latest work on RUD which is designed to go beyond TLS security provides an effective means of bypassing any controls of that type so the patent claims are probably moot. RUD is designed to defeat traffic analysis and censorship so the entire packet payload is encrypted, including the stream and flow data. A connection can also be established with a reserved prefix to support steganography and address extension. So a connection can say 'start the RUD payload at byte 32' and those bytes can then be used to add a phony QUIC header to bypass IRG/FSB/etc packet inspection. Alternatively, it could be a fixed prefix negotiated with a carrier grade NAT system to effectively extend the IPv4 address space without going to IPv6. RUD does not have to be a standard to provide a means of rendering verifiable observability moot, it just needs to have one implementation. On Fri, Sep 30, 2022 at 4:38 AM Randy Armstrong (OPC) < [email protected]> wrote: > > - I think the key point here is that sometimes observability is a > feature and not a bug. This is particularly important in > industrial/critical infrastructure. That observability can be achieved in > many ways. One question is whether the observability itself should itself > be authorized. > > Putting backdoors into protocols is not equivalent to letting applications > decide to skip encryption. > > A backdoor is like giving law enforcement codes to break into a cellphone > and hoping that they will never abuse the power or the codes will never > fall into the hands of criminals. Letting applications decide is equivalent > to an owner of a cellphone choosing not to lock their screen because they > decide there is nothing that needs protecting. > > IOW, the fact that some users might be willing to live with the risk of a > compromised system by allowing for backdoors is not a reason to refuse to > allow other users to make a decision send data in clear text when and only > when they decide it is safe. >
