[148833] in cryptography@c2.net mail archive
Re: [Cryptography] What is a secure conversation? (Was: online
daemon@ATHENA.MIT.EDU (Jon Callas)
Mon Dec 30 11:28:06 2013
X-Original-To: cryptography@metzdowd.com
From: Jon Callas <jon@callas.org>
In-Reply-To: <52C10A2B.2060008@iang.org>
Date: Mon, 30 Dec 2013 08:26:46 -0800
To: ianG <iang@iang.org>
Cc: Jerry Leichter <leichter@lrw.com>,
Cryptography Mailing List <cryptography@metzdowd.com>,
Theodore Ts'o <tytso@mit.edu>, Jon Callas <jon@callas.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Dec 29, 2013, at 9:52 PM, ianG <iang@iang.org> wrote:
> Indeed. So we have a quandary. Do it one way, fall in one trap. Do it another way, fall in another trap. Is there a way to avoid all traps?
Of course not. The first rule of real-world security is that there are more threats than you can defend against. This is the whole reason we have "threat models." It's a way to scope the unsolvable totality in.
> We know what doesn't work: committees, broad-based low-level crypto tool analyses, government standards, consultancies.
Actually, they're extraordinarily useful.
There are always people who get a bee in their bonnet about something that's real but unlikely. Pushing them off into any of the above has two advantages -- it gets them out of your hair of dealing with the real and actual problems, and when you make progress in solving the present actual problem, the next one will be some past real-but-unlikely problem. So you get a leg up on the next one.
> What that leaves is, I think: the business must appoint one person to take responsibility. That person must make the decision to drop the unrealistic threats, once they've had their day in the sun.
>
> The job and the person takes on the success as well as the failures.
In many organizations, this person is called the CSO.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSwZ7UsTedWZOD3gYRAp26AJwO33oazPIZSBFTxoiQzxw/yg7/MgCdE3/5
rF3g/4ArVoITGh76yTxyRL4=
=rGlI
-----END PGP SIGNATURE-----
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
