A slight modification of my comments on PKI.
dan at geer.org
dan at geer.org
Wed Jul 28 22:34:50 EDT 2010
> It is important to remember what we're trying to defend against. As
> many of us have learned through bitter experience, the costs and
> benefits of security systems we deploy are the important part. No one
> needs perfect security in the face of no attackers at all, and even if
> attackers are numerous, if a system has low enough failure/fraud
> rates, no one will complain much.
The design goal for any security system is that the number of
failures is small but non-zero, i.e., N>0. If the number of
failures is zero, there is no way to disambiguate good luck
from spending too much. Calibration requires differing outcomes.
Regulatory compliance, on the other hand, stipulates N==0 failures
and is thus neither calibratable nor cost effective. Whether
the cure is worse than the disease is an exercise for the reader.
--dan
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list