Monoculture

[Ian Grigg]

Don Davis wrote:
> 
> EKR writes:
> > I'm trying to figure out why you want to invent a new authentication
> > protocol rather than just going back to the literature ...

> note that customers aren't usually dissatisfied with
> the crypto protocols per se;  they just want the
> protocol's implementation to meet their needs exactly,
> without extra baggage of flexibility, configuration
> complexity, and bulk.  they want their crypto clothing
> to fit well, but what's available off-the-rack is
> a choice between frumpy one-size-fits-all, and a
> difficult sew-your-own kit, complete with pattern,
> fabric, and sewing machine.  so, they often opt for
> tailor-made crypto clothing.


This is also security-minded thinking on the part
of the customer.

Including extra functionality means that they have
to understand it, they have to agree with its choices,
they have to follow the rules in using it, and have
to pay the costs.  If they can ditch the stuff they
don't want, that means they are generally much safer
in making simple statements about the security model
that they have left.

So, coming up with a tailor-made solution has the
security advantage of reducing complexity.  If one
is striving to develop the whole security model on
ones own, without the benefit of formal methods,
that approach is a big advantage.

(None of which goes to say that they won't ditch a
critical component, of course.  I'm just trying to
get into their heads here when they act like this.)


iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com