A mighty fortress is our PKI
Perry E. Metzger
perry at piermont.com
Tue Jul 27 14:22:40 EDT 2010
On Tue, 27 Jul 2010 11:11:52 -0700 Chris Palmer
<chris at noncombatant.org> wrote:
> Sampo Syreeni writes:
>
> > >I am not sure what quantitative measurement of vulnerability
> > >would even mean. What units would said quantity be measured in?
> >
> > I'm not sure either. This is just a gut feeling.
>
> See also:
>
> http://nvd.nist.gov/cvsseq2.htm
That scale seems remarkably arbitrary.
One problem with such arbitrary scales is that there is no objective
methodology one can engage in which will show that the equation is
"wrong" in some way.
Unless you can perform an experiment to falsify the self-declared
"objective quantitative security measurement", it isn't science. I
can't think of an experiment to test whether any of the coefficients
in the displayed calculation is "correct". I don't even know what
"correct" means. This is disturbing.
Perry
--
Perry E. Metzger perry at piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list