[Cryptography] What do we mean by ... ???

ianG iang at iang.org
Tue Feb 17 16:40:39 EST 2015 

Hi John,

On 17/02/2015 19:58 pm, John Denker wrote:
> On 02/07/2015 05:05 PM, Bill Frantz wrote:
>>
>> The more I hear people talk about making thing secure, the more I
>> hope they will explain what they mean by secure.
>
> I've been enjoying this voluminous thread ... and also
> the one about "best practices".
>
> Here's my two millicents worth:
>
> Ideas are primary and fundamental.  Terminology is tertiary.
> Terminology is important only insofar as it helps us formulate
> and communicate the ideas.
>
> 1) It is nice to see that despite the title, the "best
> practices considered bad term" discussion was almost
> entirely about ideas, not terminology.

My original complaint is one about the term:  "best practices" is by 
definition of how the process arises not best, and is in fact close to 
lowest common denominator.


> Small constructive suggestion:  Insofar as BCP (best current
> practices) is a term open to abuse, we can use a different
> term, perhaps BPP (baseline prudent practices) ... with the
> understanding that any particular instance ought to exceed
> the baseline by a wide margin.


That is a good suggestion!  And the B matches.  Baseline is a far closer 
term.

(I'm not so sure about Prudent.  I'm quite happy with Current as it does 
rather point out it's what we do now, if only because now is not then.)


> 2) As for the terminology of "security", in my book that's
> asking the wrong question.  Some people use the term
> "reliability" to cover a combination of security and
> availability.  For example:
>    -- The proverbial air-gapped abacus in a vault inside
>     a Faraday cage surrounded by armed guards is very high
>     on security, but low on availability and usability.
>    -- The converse is more complicated.  Availability
>     (especially in the long term) requires security against
>     intrusion;  otherwise hackers will take down your
>     system whereupon you have neither availability nor
>     security, much less reliability.  Still, though,
>     availability is not the only requirement, especially
>     if you have secrets that you need to keep.  You
>     don't want your secrets to be available to everybody.
>     So reliability really is the better idea, comprising
>     both security and availability.

Yup indeed.  Perhaps we should rename the entire field to Cryptographic 
Reliability?



iang


> 3)

More information about the cryptography mailing list