[Cryptography] What to put in a new cryptography course
Phillip Hallam-Baker
phill at hallambaker.com
Thu Jul 7 01:12:21 EDT 2016
On Wed, Jul 6, 2016 at 10:47 PM, Ron Garret <ron at flownet.com> wrote:
>
> On Jul 6, 2016, at 9:47 AM, Stephan Neuhaus <stephan.neuhaus at zhaw.ch>
> wrote:
>
> > On 2016-06-23 06:33, Phillip Hallam-Baker wrote:
> >>
> >> Some of the points I am planning to make are: [...]
> >>
> >> * Complexity is the enemy of security.
> >
> > Depending on what you mean by that, the evidence for this is pretty thin.
>
> The evidence may be thin, but the argument seems compelling to me: the
> more complex a system is, the more possible places there are for
> vulnerabilities to hide.
>
The more complex you make the system, the more time you will spend
analyzing it and the less complete your analysis will be. So learning to
simplify without loss of functionality is critical.
But you also have to watch the problem of complexity through over
simplification which is how PKIX got in such a mess. Instead of having one
mechanism to do a job, people bleated 'keep it simple' and so each
mechanism was not quite powerful enough to do the job intended. And so
instead of one mechanism covering CRLs and OCSP we ended up with two and
then SCVP and many variations thereon.
And of course the people who bleated 'keep it simple' the loudest then
went and invented policy constraints.
Another example of false simplicity is attempting to reuse a tool that
isn't designed for the task. The use of PKIX certificates as a delegation
mechanism for BGP security is utterly nuts. Just give each RIR a cert and
they sign their list of BGP assignments once a day.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160707/24a032c6/attachment.html>
More information about the cryptography
mailing list