[Cryptography] Two questions of security
Phillip Hallam-Baker
phill at hallambaker.com
Mon Mar 7 21:28:13 EST 2016
I just released a new set of Mesh specs, I am now working on getting
the site set up with a decent explanation of what is going on. In
particular, I am trying to compress the following argument to a couple
of pithy one liners. Was wondering if people might have ideas:
Traditional access control approaches were created in the era when the
problem was how to divide the computing resources of one machine
between many people. Today our typical security problem is the exact
opposite - one user has many, computing devices. And as every consumer
good 'becomes intelligent' or at least adds networking capabilities,
the problem gets worse.
As a result, we end up authenticating the wrong thing. Instead of
authenticating the users, we need to authenticate machines.
The Mesh reduces this problem to two questions:
1) Do I want to control this device? If so, for what purposes?
2) Is this device under my control?
I buy a new device, it might be a laptop, a mobile phone, a new car
but in this case it is a garage door opener.
I tell the garage door opener it is under my control, the only purpose
it supports is opening the door. The door opener confirms that it is
under my control. Now I can press the open door button in my car and a
cryptographically secure challenge response protocol using real
cryptography rather than junk that was broken 20 years ago takes
place.
More information about the cryptography
mailing list