[cryptography] philosophical question about strengths and attacks at impossible levels

travis+ml-rbcryptography at subspacefield.org travis+ml-rbcryptography at subspacefield.org
Fri Nov 19 14:26:45 EST 2010


On Sat, Oct 16, 2010 at 12:29:07PM +1100, Ian G wrote:
> On this I would demure.  We do have a good metric:  losses.  Risk  
> management starts from the business, and then moves on to how losses are  
> effecting that business, which informs our threat model.
>
> We now have substantial measureable history of the results of open use  
> of cryptography.  We can now substantially and safely predict the result  
> of any of the familiar cryptographic components in widespread use,  
> within the bounds of risk management.
>
> The result of 15-20 years is that nobody has ever lost money because of  
> a cryptographic failure, to a high degree of reliability.  Certainly  
> within the bounds of any open and/or commercial risk management model,  
> including orders of magnitude of headroom.

Does the fact that parts of Stuxnet was signed by two valid certs
count as a cryptographic failure?
-- 
Good code works on most inputs; correct code works on all inputs.
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/ 
If you are a spammer, please email john at subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20101119/cf4b6e80/attachment.asc>


More information about the cryptography mailing list