[Cryptography] What do we mean by Secure?
ianG
iang at iang.org
Sun Feb 8 06:36:39 EST 2015
On 8/02/2015 00:05 am, Bill Frantz wrote:
> On 2/6/15 at 3:10 PM, kentborg at borg.org (Kent Borg) wrote:
> In another interesting policy area, Alan Karp has developed the idea of
> Voluntary Oblivious Compliance (VOC)
> <http://www.hpl.hp.com/personal/Alan_Karp/STAR-201-Karp.ppt>. With VOC,
> the system will help a user follow a policy the user doesn't even
> understand. My favorite version of VOC detects a violation of policy and
> prompts the user, "This action appears to be a violation of our security
> policy. Please click "Cancel" or enter an explanation for your manager."
Interesting idea.
In a roundabout way this is similar to something I wanted created at
CAcert (still waiting). In essence there is a Security Policy, and you
can do whatever is in there. Fine. But you can also breach the rules
if you think you have to. But if you breach those rules, you have to
file a dispute to Arbitrator, and explain yourself. 4 eyes and all that.
Now, in the system, to support this process, we wanted a comment field
added to every critical action into which you either put your reason or
you put the arbitration case number. Those events with case numbers
would be shot across to the Arbitrator to track, and those without would
go to CSO who asks why you haven't filed dispute, yet.
iang
More information about the cryptography
mailing list