[Cryptography] best practices considered bad term
Jerry Leichter
leichter at lrw.com
Sun Feb 1 10:29:36 EST 2015
On Feb 1, 2015, at 9:54 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>> A *good* description of "best practices" would actually help things.
>
> You don't just need a description, you need a rationale. Taking the example
> in my previous message of agricultural use of fungicide, "Don't use
> myclobutanil more than three times in one growing season or you'll produce
> resistant strains". That's advice, rationale, and consequences of not
> following the advice in a single statement.
Absolutely.
The Secure <X> Coding CERT - where <X> can be instantiated with several widely-used programming languages - generally do this very well. Not only do they provide a rationale, they usually provide examples, both positive and negative. People will remember a good example long after the wording of the principle has faded from memory.
-- Jerry
More information about the cryptography
mailing list