The wisdom of the ill informed

Arshad Noor arshad.noor at
Sun Jun 29 17:00:59 EDT 2008

[Moderator's note: "Top posting considered uncool." --Perry]

While programmers or business=people could be ill-informed, Allen,
I think the greater danger is that IT auditors do not know enough
about cryptography, and consequently pass unsafe business processes
and/or software as being secure.

This is the reason why we in the OASIS Enterprise Key Management
Infrastructure Technical Committee have made educating IT Auditors
and providing them guidelines on how to audit symmetric key-management
infrastructures, one of the four (4) primary goals of the TC.  While
the technology is well understood by most people on this forum, until
we educate the gate-keepers, we have failed in our jobs to secure IT

Arshad Noor
StrongAuth, Inc.

Allen wrote:
> Hi gang,
> All quiet on the cryptography front lately, I see. However, that does 
> not prevent practices that *appear* like protection but are not even as 
> strong as wet toilet paper.
> I had to order a medical device today and they need a signed 
> authorization for payment by my insurance carrier. No biggie. So they 
> ask how I want it set to me and I said via e-mail. Okay. /Then/ they 
> said it was an encrypted file and I thought, cool. How wrong could I be?
> Very. The (I hate to use this term for something so pathetic) password 
> for the file is 6 (yes, six) numeric characters!
> My 6 year old K6-II can crack this in less than one minute as there are 
> only 1.11*10^6 possible.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list