[Cryptography] best practices considered bad term
Kent Borg
kentborg at borg.org
Fri Feb 6 18:10:25 EST 2015
On 02/06/2015 04:51 PM, Arnold Reinhold wrote:
> Sound like the start of a best practices guide. Yes security is hard
> an yes we know more about why it’s hard than we do about how to do it
> right. But is that a reason not to collect what we do know in a form
> that implementers can avoid the grossest mistakes?
Sure, collect it, write books about it, improve upon it, make it better,
make it more complete, toss out stupid bits, badmouth broken things,
praise good things, argue, win and lose arguments, repeat all that.
But "best practices" has a seductive sound suggesting "I'll take that!",
and be done.
Any sentence that uses the term would be better off striking it and
substituting words that have actual meaning.
Ah, but then one would have to stop and figure out what one is trying to
do...damn! Can't I just ask for Wholesome Apple Pie and be done?
No.
> In the construction industry an early question when bidding a new
> project is how far down do we have to dig to find competent bed rock.
> Where is bedrock in computer security? How does one build the simplest
> system that we can be sure will not be compromised? There is no point
> to encryption if we don’t have a safe platform to encrypt on.
Where is the bedrock in the analog world's anti-fraud industry? Ain't no
such thing. Bad guys keep innovating. And computers--moving
fast--provide so many new and /juicy/ opportunities for nimble bad guys.
In the real world we all need to know about fraud, starting with
traditional bedtime stories for children. Computers are part of the real
world now.
People want to use modern computer tools but don't want learn about the
properties or risks of those tools; they want to delegate to some
affordable expert, someone who won't rock any boats, who will sell them
a load of "best practices".
-kb, the Kent who is sorry to say that, though civilians won't have to
learn esoteric design properties of block cyphers, they are actually
going to have to learn about larger systems and security because they,
and details of their behavior, are key components of those systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150206/f4d98260/attachment.html>
More information about the cryptography
mailing list