[cryptography] philosophical question about strengths and attacks at impossible levels
marsh at extendedsubset.com
Sat Nov 20 16:37:57 EST 2010
On 11/19/2010 05:39 PM, Ian G wrote:
> On 20/11/10 6:26 AM, travis+ml-rbcryptography at subspacefield.org wrote:
>> Does the fact that parts of Stuxnet was signed by two valid certs
>> count as a cryptographic failure?
> Short answer: no.
> Medium answer: if you look at the so-called Internet Threat Model  on
> which SSL was founded, the node was ruled outside the model . Stolen
> valid certs are node problems not wire problems, and this is typically
> the assumption made in all certificate protocols.
> Longer answer: Depends on who is arguing, and what follows is my
> especial counter-cultural opinion. I am widely disagreed :)
Well I'm just going to have to disagree with you here.
> Typically, in promoting a technology, people will point at the
> cryptographic purity in a narrow fashion, and then market the protection
> delivered in a broader context. This is called a bait & switch in the
> marketing world.
The term bait-and-switch has a reasonably well defined meaning:
I don't think this qualifies as a bait-and-switch scenario because the
originally-advertised functionality (the bait) is still part of the package.
Bait-and-switch would be more like a salesperson saying "No, I'm sorry
we just ran out of the low-priced RSA certificates we advertised in the
Sunday paper. But I have a fresh shipment of ECC EV certificates that
only cost X times more...". Especially if the store had no intention of
stocking enough of the advertised item to cover the anticipated demand.
The best term for this that I can think of is plain old "exaggeration",
but I don't feel like that really captures the idea. It's more that the
claims are extended beyond their original domain, to the point where
they may no longer apply.
Perhaps there's not a word for this because it's simply taken for
granted in marketing. E.g., "this bottled liquid is proven to prevent
dehydration" is extended to imply "this particular bottled liquid will
associate you in some way with others like these happy and popular
off-duty lifeguards playing beach volleyball".
More information about the cryptography