[Cryptography] What is a secure conversation? (Was: online forums...)

Jon Callas jon at callas.org
Mon Dec 30 10:44:48 EST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Dec 29, 2013, at 8:46 PM, ianG <iang at iang.org> wrote:

> Seems to be:
> Donn Parker,
> "Making the Case for Replacing Risk-Based Security"
> ISSA Journal, May 2006.
> 
> But I am unable to find a copy, anyone got a link to hand?
> 
> What I read of that article is that it is talking about (against) risk-based security rather than best practices.  Maybe I've got the wrong one?

It was a speech he gave at some event I was at, and likely an ISSA event or ISACA. It was a life-changing experience.

I'm sure that's the print version, if watered down.

> 
> Oh, it's worse than that.  Best practices as a concept only applies when you have a large group of people who need a 'practice'.  As you point out, the game mechanics of such is that the worse one typically survives because it is by definition the only one that everyone can implement, once they've decided they need consensus.
> 
> So best practices is actually a misnomer of perfect (!) proportions, it is by consensus the worst practices, or more politely, the least they can all agree on.  The race to the bottom.
> 
> But even worse is that even the very notion of people coming together to document their 'best practices' means that every participant is unsure what they are about.  They lack the confidence to say, "my practices are good enough, I don't need to achieve consensus."  They need the insurance policy of saying "we're doing what everyone else is doing, therefore we can't be wrong."
> 
> So, by the same game mechanics, best practices are those that are shared by people who aren't confident enough to do it.  It's turtles all the way down, from there.

The minute someone uses the plural of "best practice" they prove Donn right.

Alternatively, the word "best" should be reserved for practices known to be not-good, but you have to do *something*.

> 
> 
>> "Perfect" has all the problems that "best" does -- and in fact, since
>> "perfect" literally means that it cannot be improved on, it's merely a
>> synonym for "best."
> 
> 
> Inconvenient changes to threats need not apply, we're perfect!

Look at all the discussion of Perfect Forward Secrecy going on now. It's often just flat broken and counterproductive.

	Jon



-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: iso-8859-1

wj8DBQFSwZT1sTedWZOD3gYRArsvAKDG78ud4Mxj1fKtLtIeq3h3Sm1zXQCfVVAD
Jes6t2PFuzkR22t9M4YGtjA=
=pSVK
-----END PGP SIGNATURE-----

More information about the cryptography mailing list