[Cryptography] best practices considered bad term

[Kent Borg]

On 02/01/2015 09:44 AM, Peter Gutmann wrote:
> In medicine and agriculture we know from real-world experience that if 
> you don't follow best practice (in the use of antibiotics, fungicides, 
> whatever), bad things will happen. In the crypto world if you don't 
> follow best practice (pick someone's at random, it doesn't make much 
> difference) chances are nothing will happen

The term "best practices" suggests following some meretricious standard 
without being obligated to name any specific standard--let alone defend 
any choice. It temps with the promise of a standard so good it will fix 
things, while suppressing further discussion.

Standards are good. But even with good crypto standards to choose from 
(AES-265, SHA-512 both seem good circa 2015), we have to understand and 
define each larger problem where we might use them, and real systems are 
too complex to precisely understand and define, let alone have standard 
solutions.

Just as we have never managed to standardize the analog world to be safe 
from fraud, we can't standardize secure computer systems of any size. In 
both cases the enemy is crafty and the enemy is among us--I suggest the 
enemy is always within the boundaries of any large system. We can be 
work to safer or less safe, more or less stupid, get results more or 
less like building with toothpicks, but the battle will ever continue.

Yes, in addition to specific standards, there is an evolving body of 
knowledge--there are known stupid and smart ways to do things (whether 
to salt password hashes, for example)--but one still has to understand 
and build a larger system, and buzzwords like "best practices" suggest a 
shortcut to a complete solution, and that is bad.

-kb, the Kent who doesn't even want to think on more clever stupidities 
like ISO-9000.