[Cryptography] best practices considered bad term
Theodore Ts'o
tytso at mit.edu
Mon Feb 2 10:02:19 EST 2015
On Sun, Feb 01, 2015 at 11:22:53PM -0500, Jerry Leichter wrote:
> Is there some truth to this assertion? Sure. But consider the same
> discussion about the National Electrical Code. It's a bunch of
> rules - no justifications or arguments, mind you, just rules. If
> you follow the rules, you won't have trouble getting your town's
> electrical inspector to approve your work. Or ... you can do it
> your own way and get into infinite arguments.
>
> If you're an electrician, and you follow the rules, you also are
> much less likely to be sued, or to lose a suit, it something goes
> wrong and the house burns down.
There seems to be a war of analogies going here. Sure, sometimes
"best practices" are really good ideas are like Aviation Checklists
--- which, as the old saying goes, are written in blood, unlike
Aviation Manual, which are merely written ink.
But there are also those "best practice" for which we don't have
strong evidence to back up the author's opinion, and where following
the "best practice" leads to tradeoffs --- and the net effect of the
compromises is sometimes not clear.
Forcing users to change passwords every six months, and requiring at
least one number and one symbol, and to be at least 10 characters ---
a good idea, or a bad idea? Telling everyone to use different
passwords for every single website inevitably leads them to use
password managers such as LastPass --- is that a net win or net loss
in security?
These sorts of "best practices" are very different from things like
"always use random IV's", or "don't reuse IV's in GCM mode".
So I think part of the problem is that people are talking about very
different things.
Cheers,
- Ted
More information about the cryptography
mailing list