Maybe It's Snake Oil All the Way Down

Rich Salz rsalz at datapower.com
Wed Jun 4 10:21:46 EDT 2003


>   The problems that this creates are demonstrated by what happens when
>   technically skilled users are required to work with certificates.

If you haven't already seen it, I highly recommend Don Davis's 
"compliance defects" paper (and slides!) available at 
http://world.std.com/~dtd.  Abstract follows:
  Public-key cryptography has low infrastructural overhead because
  public-key users bear a substantial but hidden administrative burden.
   A public-key security system trusts its users
  to validate each others' public keys rigorously and to manage
  their own private keys securely. Both tasks are hard to do well,
  but public-key security systems lack a centralized infrastructure
  for enforcing users' discipline.  A "compliance defect" in a
  cryptosystem is such a rule of operation that is both difficult
  to follow and unenforceable.  This paper presents five compliance
  defects that are inherent in public-key cryptography; these
  defects make public-key cryptography more suitable for server-to-server
  security than for desktop applications.



-- 
Rich Salz, Chief Security Architect
DataPower Technology         http://www.datapower.com
XS40 XML Security Gateway    http://www.datapower.com/products/xs40.html


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list