[Cryptography] upgrade mechanisms and policies
Bill Frantz
frantz at pwpconsult.com
Sun Apr 12 17:10:07 EDT 2015
On 4/12/15 at 8:44 AM, iang at iang.org (Ian G) wrote:
>We assume that the package preparers know more than the users.
>Fairly safe assumption in the aggregate. Obviously it breaks
>down with some people and some times. But 90% of those
>discussions are esoteric. 9% reasonable people can disagree,
>but the package choice is still fine for the most. 1% might
>well be right, the choice is bad, or less good.
I think this analysis is too simplistic. There are many more
players than just the standards committees and end users. Many
IT departments are quite capable of deciding which security
tradeoffs meet their organizations requirements. Browser
publishers are better situated than standards committees, but it
should be noted that there is a good representation of browser
publishers on the standards committees. Perhaps a better example
is opportunistic email encryption, where the requirements are
quite different from the browser case, and are not as well
represented on the standards committees. Almost completely
absent from the committees is the SCADA world, and their
requirements probably are radically different from either
browser or email requirements. I expect I'm leaving a whole
bunch of areas out of this list.
Now mapping requirements to algorithm choices requires some
knowledge of the characteristics of the various algorithms. It
is possible for IT departments to learn this information, or
they can hire high priced consultants. :-)
In any case, the standards committees don't have enough
knowledge to make good decisions.
Cheers - Bill
---------------------------------------------------------------------------
Bill Frantz | "I wish there was a knob on the TV to turn
up the
408-356-8506 | intelligence. There's a knob called
"brightness", but
www.pwpconsult.com | it doesn't work. -- Gallagher
More information about the cryptography
mailing list