[cryptography] Diginotar Lessons Learned (long)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Sep 10 13:38:37 EDT 2011


Andy Steingruebl <andy at steingruebl.com> writes:

>We still need to prioritize of course, and fix the things being exploited
>rather than just increasing key-lengths (the typical approach) but that
>doesn't mean that fixing things that aren't being exploited now, but we know
>can be exploited, is a waste of time.

My concern with this is that we've spent the last fifteen years energetically
fixing the things that aren't being exploited.  When do we start fixing the
things that are?

(Success criteria are the ultimate acid test of any new initiative, which is
why you'll never, ever see them specified for government projects.  All the
people proposing new Rube Goldberg schemes - me included - should feel
confident enough in them that they're prepared to say "My scheme, if adopted,
will lead to an X% decrease in phishing".  It doesn't even have to be 25%,
let's make it really easy and say 5%, or even just "statistically
significant".  If you can't do that then you're not really proposing a
solution but just looking for guinea pigs).

Peter.



More information about the cryptography mailing list