PGP "master keys"

Anne & Lynn Wheeler lynn at garlic.com
Sat Apr 29 09:23:01 EDT 2006 

Anne & Lynn Wheeler wrote:
> issues did start showing up in the mid-90s in the corporate world ... 
> there were a large number of former gov. employees starting to show up 
> in different corporate security-related positions (apparently after 
> being turfed from the gov). their interests appeared to possibly reflect 
> what they may have been doing prior to leaving the gov.

one of the issues is that corporate/commercial world has had much more 
orientation towards prevention of wrong doing. govs. have tended to be 
much more preoccupied with evidence and prosecution of wrong doing. the 
influx of former gov. employees into the corporate world in the 2nd half 
of the 90s, tended to shift some of the attention from activities 
related to prevention to activities related to evidence and prosecution 
(including evesdropping).

for lots of drift ... one of the features of the work on x9.59 from the 
mid-90s
http://www.garlic.com/~lynn/x959.html#x959
http://www.garlic.com/~lynn/subpubkey.html#x959

was its recognition that insiders had always been a major factor in the 
majority of financial fraud and security breaches. furthermore that with 
various financial functions overloaded for both authentication and 
normal day-to-day operations ... that there was no way to practical way 
of eliminating all such security breaches with that type of information. 
... part of this is my repeated comment on security proportional to risk
http://www.garlic.com/~lynn/2001h.html#61

the x9.59 approach was to eliminate the function overload so that the 
same information that was needed for normal day-to-day operation didn't 
also carry with it any authentication feature/attribute. the result was 
that data breaches could still occur, but no longer enabled the 
financial fraud that it once did ... and therefor it didn't really 
represent a serious security breach ... aka the countermeasure to 
financial fraud associated with the data breaches was to recognize that 
it was impossible to totally eliminate them, since the information was 
required extensively in day-to-day business processes, so to prevent the 
wrong doing, the authentication feature/attribute was removed from the 
associated information.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list