A mighty fortress is our PKI

Paul Tiemann paul.tiemann.usenet at gmail.com
Wed Jul 28 12:27:52 EDT 2010 

On Jul 27, 2010, at 10:58 PM, dan at geer.org wrote:

> 
>> 
>> Wow, I was just going to recommend Dan's book, "Security Metrics."
>> 
> 
> It is actually Andy Jaquith's book, I only wrote the intro.

Ouch, I'm sorry for the mistake!  (I knew I remembered your name in connection with the book, but it's on my bookshelf in the office and I was at home.)

> In the meantime, though, couple of years ago I did a tutorial
> on security metrics which you may find useful
> 
> http://geer.tinho.net/measuringsecurity.tutorial.pdf

Thanks, my favorite so far is page 45 with the table on Risk Management Culture.  I need to tape that to the wall for inspiration.

Pathologic: Don't want to know
Bureaucratic: May not find out
Generative: Actively seek

Pathologic: Failures punished
Bureaucratic: Local repairs only
Generative: Failures beget reforms

From my point of view: The security community is being Generative (Actively seek) about finding the flaws in systems, but it's too often in the Pathologic (Failures punished) stage about how to handle those flaws once they're discovered.

My suspicion: It's fun to Actively seek, and hard to find solutions, and it can be downright frustrating to champion reforms.  If the vulnerability isn't gigantic, it's hard to even get people to listen.  Reform is maybe 20x harder and 1/5th as fun as poking the holes.

That said, here's an experience worth talking about: Dan Kaminsky did a pretty good job of being Generative in _both_ categories.  He found a hole in DNS, and then worked with LOTS of vendors and even with people not directly tied to DNS to collaborate on reforms.  He even called me (at a smaller CA) to make sure we were aware of the risks and to verify that we don't only rely on automated forms of verification.  I really appreciated the call--it felt like my chance to talk to a rock star.

All the best,

Paul Tiemann 
(DigiCert)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list