[Cryptography] What is a secure conversation? (Was: online forums...)
Jon Callas
jon at callas.org
Mon Dec 30 11:26:46 EST 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Dec 29, 2013, at 9:52 PM, ianG <iang at iang.org> wrote:
> Indeed. So we have a quandary. Do it one way, fall in one trap. Do it another way, fall in another trap. Is there a way to avoid all traps?
Of course not. The first rule of real-world security is that there are more threats than you can defend against. This is the whole reason we have "threat models." It's a way to scope the unsolvable totality in.
> We know what doesn't work: committees, broad-based low-level crypto tool analyses, government standards, consultancies.
Actually, they're extraordinarily useful.
There are always people who get a bee in their bonnet about something that's real but unlikely. Pushing them off into any of the above has two advantages -- it gets them out of your hair of dealing with the real and actual problems, and when you make progress in solving the present actual problem, the next one will be some past real-but-unlikely problem. So you get a leg up on the next one.
> What that leaves is, I think: the business must appoint one person to take responsibility. That person must make the decision to drop the unrealistic threats, once they've had their day in the sun.
>
> The job and the person takes on the success as well as the failures.
In many organizations, this person is called the CSO.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSwZ7UsTedWZOD3gYRAp26AJwO33oazPIZSBFTxoiQzxw/yg7/MgCdE3/5
rF3g/4ArVoITGh76yTxyRL4=
=rGlI
-----END PGP SIGNATURE-----
More information about the cryptography
mailing list