TLS-SRP & TLS-PSK support in browsers (Re: Dutch Transport Card Broken)
Alex Alten
alex at alten.org
Sun Feb 3 05:26:09 EST 2008
At 09:34 PM 2/1/2008 +0100, Ian G wrote:
>* Browser vendors don't employ security people as we know them on this
>mailgroup, they employ cryptoplumbers. Completely different layer. These
>people are mostly good (and often very good) at fixing security bugs. We
>thank them for that! But they are completely at sea when it comes to
>systemic security failings or designing new systems.
An excellent observation Ian!!
I too have run into this mindset at enterprises with inhouse security teams
(mostly in Silicon Valley). They focus on the nuts and bolts like
producing/using cryptographic libaries, fixing security bugs in code or
configuring network appliances to stop intrusions. But it is really hard
to find any of them with decent experience or knowledge at the overall
software/hardware/people system design level. They are often very smart and
educated engineers. I find that there's this "mindless" focus on using
groups of "security" standards, e.g PKI / LDAP / SSL type of combinations,
etc. The DoD contractor firms seem to be a little bit better at
recognizing the system level aspects of security, although they too are
often blinded by the emphasis on "COTS" security products.
- Alex
--
Alex Alten
alex at alten.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list