Ousourced Trust (was Re: Difference between TCPA-Hardware and a smart card and something else before

Ed Reed ereed at novell.com
Mon Dec 22 21:34:31 EST 2003 

>>> Ian Grigg <iang at systemics.com> 12/20/2003 12:15:51 PM >>>

>One of the (many) reasons that PKI failed is
>that businesses simply don't outsource trust.

Of course they do.  Examples:
 
D&B and other credit reporting agencies.
SEC for fair reporting of financial results.
International Banking Letters of Credit when no shared root of trust
exists.
Errors and Ommissions Professional Liability insurance for consultants
you don't know.
Workman's Compensation insurance for independent contractors you don't
know.
 
The point is that the "real world" has monitized risk.  But the
crytpo-elite have concentrated too hard on eliminating environmental
factors from proofs of correctness of algorithms, protocols, and most
importantly, business processes.
 
Crypto is not business-critical.  It's the processes its supposed to be
protecting that are, and those are the ones that are insured.
 
Legal and regulatory frameworks define how and where liability can be
assigned, and that allows insurance companies to factor in stop-loss
estimates for their exposure.  Without that, everything is a crap
shoot.
 
Watching how regulation is evolving right now, we may not see explicit
liability assignments to software vendors for their vulnerabilities,
whether for operating systems or for S/MIME email clients.  Those are
all far too limited in what they could offer, anyway.
 
What's happening, instead, is that consumers of those products are
themselves facing regulatory pressure to assure their customers and
regulators that they're providing adequate systematic security through
technology as well as business policies, procedures and (ultimately)
controls (ie, auditable tests for control failures and adequacy).  When
customers can no longer say "gee, we collected all this information, and
who knew our web server wouldn't keep it from being published on the
NYTimes classified pages?", then vendors will be compelled to deliver
pieces of the solution that allow THE CUSTOMER (product consumer) to
secure their environments.
 
Get ready.  Trusted Third Party evaluations, like FIPS 140 is for
Crypto, will be the thing insurance companies look to for guidance in
factoring their risk exposure when asked to provide warranty coverage to
businesses using technology - just like they did to Underwriters
Laboratories for electrical appliances, just like they do to D&B for
commercial credit processing, just like they do to MasterCard and VISA
for consumer credit processing.
 
And before you say "well, that doesn't apply to internal company
security", ask yourself how many companies outsource physical security
to Brinks or some other security-guard employeement agency.  They can do
that, too, because of other insurance (personal bonds) that help them
lay off the exposure to misplaced trust.
 
Trust is heavily outsourced.  Only the very large or very foolish think
they can "go it alone".  And the very large generally have governments
in their pockets to  help provide the stop-loss limits for their
exposure.
 
No?
 
Ed

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list