RE: Security via Sounding Impressive

• To: szabo@netcom.com, www-security@ns2.rutgers.edu
• Subject: RE: Security via Sounding Impressive
• From: Jonathon Tidswell <t-jont@microsoft.com>
• Date: Mon, 20 Nov 95 10:08:28 TZ

Supposedly Nick Szabo  <szabo@netcom.com> wrote:

| I've notice an interesting pattern in how security mechanisms are named.
| On the one hand, we have some security features with very impressive sounding
| names:
|
| Certification *Authority*
| *Authorization*
| *Trusted* Server
| *Master* Key
| etc.

I wonder what historical context makes people give these words some 
(undesrved ?) emotional weight ?
Perhaps its the implication of the proper use of appropriate 
techniques/mechanisms ?

| These words fill most people with awe and good will towards the feature so
| named. They also make good channel markers, pointing out the 
_insecure_ parts
| of the system.  The effect is to cover up the lack or inadequecy
| of a mechanism with invocations that put our brains to sleep. This
| is quite lucrative for marketing purposes, but it works on
| many designers of security features as well!
|
| On the other hand, when we isolate the actual mechanisms of a system
| are in fact  mathematically secure, we get names like:
|
| Encryption
| Blinding
| Message Digest
| Mix
| Capability
|
| These are just plain, boring words, with no connotation that we should
| trust them like we trust our big brother.  They just work.

What you are really saying is that you trust some statements (that the 
mechanisms described above actually work) actually come from an 
authority whose judgement can be trusted.  Or are you asserting that we 
should use you as a certifcation authority and believe you when you say 
these mechanisms work ?

All computer security ends up in trust, trust placed by a human in a 
piece of hardware or software. Some obtain this trust directly by 
attempting to break it and failing, others by studying mathematical 
proofs. Still others obtain it indirectly by contact with people who 
obtained it directly, still more rely on certificates from certifaction 
authorities.

Academic journal reviewers are typically better certification 
authorities, but are far less accessible than TV and trashy journals 
which are very bad certification authorities.

- Jon Tidswell
Disclaimer: I think my thoughts are my own, and I believe my writings 
are too.

• Re: Security via Sounding Impressive
• From: Owen Rees <rtor@ansa.co.uk>
• RE: Security via Sounding Impressive
• From: Steve Dabbs <sdabbs@netcom.com>

• Previous: Re: mail port [Off Topic]
• Next: Re: mail port [Off Topic]
• Index(es):
  • Index
  • Thread