[146856] in cryptography@c2.net mail archive
Re: [Cryptography] Market demands for security (was Re: Opening
daemon@ATHENA.MIT.EDU (John Denker)
Sun Sep 8 16:34:12 2013
X-Original-To: cryptography@metzdowd.com
Date: Sun, 08 Sep 2013 13:29:56 -0700
From: John Denker <jsd@av8n.com>
To: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
In-Reply-To: <20130908150810.35bad8fd@jabberwock.cb.piermont.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 09/08/2013 12:08 PM, Perry E. Metzger wrote:
> I doubt that safety is, per se, anything the market demands from
> cars, food, houses, etc.
I wouldn't have said that. It's a lot more complicated than
that. For one thing, there are lots of different "people".
However, as a fairly-general rule, people definitely do
consider safety as part of their purchasing decisions.
-- Why do you think there are layers of tamper-evident
packaging on Tylenol (and lots of other things)? Note that
I was not kidding when I suggested tamper-evident data
security measures. Not only do responsible vendors want
the product to be safe when it leaves the factor, they want
to make sure it /stays/ safe.
-- Any purchaser with an ounce of sense will hire an inspector
to check over a house before putting down a deposit. Sales
contracts require the seller to disclose any known defects,
and generally provide some sort of warranty.
++ Forsooth, if people bought crypto as carefully as they buy
houses, we'd all be a lot better off.
-- In many cases, consumers do not -- and cannot -- /directly/
evaluate safety and quality, so they rely on third parties.
One familiar example is the airline industry. The airlines
generally /like/ being regulated by the FAA because by and
large the good guys already exceed FAA safety standards, and
they don't want some bad guy coming in and giving the whole
industry a bad name.
-- I imagine food and drug safety is similar, although the
medical industry complains about over-regulation more than
I would have expected.
-- There are also non-governmental evaluation agencies, such
as Underwriters' Laboratories and Earth Island Institute.
** There are of course /some/ people who court disaster. For
example, there are folks who consider seatbelt laws and motorcycle
helmet laws to be oppressive government regulation. These are
exceptions to the trends discussed above, but they do not
invalidate the overall trends.
!! Note that even if you are doing everything you know how to do,
you can still get sued on the grounds of negligence and deception
if something goes wrong ... especially (but not only) if you said
it was safer than it was. Example: Almost every plane crash ever.
Let's be clear: A lot of consumer "demands" for safety are made
retroactively. "Caveat emptor" has been replaced by /caveat vendor/.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography