[Cryptography] best practices considered bad term
Jerry Leichter
leichter at lrw.com
Sun Feb 1 23:22:53 EST 2015
On Feb 1, 2015, at 10:56 PM, Bill Frantz <frantz at pwpconsult.com> wrote:
>> So it's certainly a rain dance, but I wouldn't say it's for avoiding security,
>> it's for avoiding liability, a la "no-one ever got fired for buying IBM".
> This statement encapsulates the real value of "best practices". If you follow them, you won't get fired.
Is there some truth to this assertion? Sure. But consider the same discussion about the National Electrical Code. It's a bunch of rules - no justifications or arguments, mind you, just rules. If you follow the rules, you won't have trouble getting your town's electrical inspector to approve your work. Or ... you can do it your own way and get into infinite arguments.
If you're an electrician, and you follow the rules, you also are much less likely to be sued, or to lose a suit, it something goes wrong and the house burns down.
Is following the rules in the Code a way of avoiding fights with the town and lawsuits? Sure. But is it *just* that? Hardly. The Code is, to a large degree, the distillation of many decades of experience with electrical wiring and how it fails. Is it overkill? Does it sometimes retain old requirements that no longer make much sense? Sure. But if I'm buying a house, I like knowing that it's "up to code". It may be boring and over-engineered, but it probably won't start a fire while I'm asleep.
-- Jerry
More information about the cryptography
mailing list