I have been considering posting this essay for while now, in light of many CA's refusal to revoke all heartbleed compromised keys, it is time to post it.

When I became interested in modern security and cryptography, I was lucky to have the acquaintance of an experienced security expert. He was kind and patient, willing to entertain a teenage programmer's experiments in security. I told me something I remember daily now, "The first rule of cryptography is to never roll your own crypto". Now, I am a much older graduate student researching vulnerability’s of current cryptographic techniques and possible solutions to currently intractable problems.

I am now an "Expert". Somewhere in the last 5 years, I magically grew the power to be an authority on writing new cryptography. With that came the understanding, that anything I created was likely flawed. The first task set before any novel cryptographic system is that of peer review. Luckily, the academic security field is a very open one, it's openness predicated on the understanding that more eyes on an algorithm or protocol the more likely any flaws would be at least detected, if not fixed.

As a new "Expert" I am also strongly disillusioned. The professional world sadly, does not share the openness of academia. That first rule, "leave it to the experts", is exclusionary and membership to the "experts" club is limited to older white gray and white hat hackers from the early 70s. The security infrastructure those men built, is at the foundation of the structure utilized today. The foundation is rotten. Our security elite have systematically failed us.

Companies have built their names on providing security. That same motivation to protect tier brands, has lead them to systemically fail to report and close breaches of security. A security professional or company is not motivated to provide you with security, rather, they are motivated to make you pay for perceived security.

A long series of recent revaluations reinforce this truth, that the current security establishment is not but theater. Systemic refusal of certificate authorities to revoke compromised keys, recent revaluations of top level interception of all supposedly secure traffic in the US (and likely every other major government).

I vote no confidence to the current professional security community.

We need a new solution. We need to support and critique new ideas. DNS and CA based security is currently systematically broken by business incentives. We need to make something new.