Is cryptography where security took the wrong branch?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Sep 3 10:00:34 EDT 2003
Ian Grigg <iang at systemics.com> writes:
>There appear to be a number of metrics that have been suggested:
>
> a. nunber of design "wins"
> b. penetration into equivalent unprotected market
> c. number of actual attacks defeated
> d. subjective good at the application level
> e. worthless measures such as deployed copies, amount of traffic
> protected
You forgot the most important one:
f. value added elsewhere
SSL's real strength is that it's convinced 100 million Joe Sixpacks that it's
safe to make purchases online. This has nothing to do with security (you
could do the same with padlock GIFs stuck on your web page), but does count as
some sort of measure of "success", although it's marketing success rather than
security success. Although they provide about the same level of real
security, it seems that SSH is the tool of choice for people who care about
providing real security while SSL is the tool of choice for people who care
about providing their customers warm fuzzies.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list