[cryptography] preventing protocol failings

Kevin W. Wall kevin.w.wall at gmail.com
Wed Jul 13 08:20:57 EDT 2011

On Wed, Jul 13, 2011 at 2:01 AM, Ian G <iang at iang.org> wrote:
> On 13/07/11 9:25 AM, Marsh Ray wrote:
>> On 07/12/2011 04:24 PM, Zooko O'Whielacronx wrote:
>>> On Tue, Jul 12, 2011 at 11:10 AM, Hill, Brad<bhill at paypal-inc.com>
>>> wrote:
>>>> I have found that when H3 meets deployment and use, the reality
>>>> too often becomes: "Something's gotta give." We haven't yet found
>>>> a way to hide enough of the complexity of security to make it
>>>> free, and this inevitably causes conflicts with goals like
>>>> adoption.
>>> This is an excellent objection. I think this shows that most crypto
>>> systems have bad usability in their key management (SSL, PGP). People
>>> don't use such systems if they can help it, and when they do they
>>> often use them wrong.
>> But the entire purpose of securing a system is to deny access to the
>> protected resource.
> And that's why it doesn't work;  we end up denying access to the protected
> resource.
> Security is just another function of business, it's not special.

Unless of course, your business IS (all about) security. :D

> The purpose of security is to improve the profitability of the resource.
> Protecting it is one tool to serve security & profits, and re-engineering it
> so it doesn't need any protection is another tool... There are many such
> tools :)

I disagree with this statement and think it is an overgeneralization.

At its core, security is about "ensuring trust" and "managing risk",
not about improving the profitability of the resource. Protecting a
resource certain is a component of it, but IMO, it is way too far
reaching to state that this is "the purpose" of security.

Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the cryptography mailing list