[Previous] [Next] [Index]
[Thread]
RE: Security via Sounding Impressive
Supposedly Nick Szabo <szabo@netcom.com> wrote:
| I've notice an interesting pattern in how security mechanisms are named.
| On the one hand, we have some security features with very impressive sounding
| names:
|
| Certification *Authority*
| *Authorization*
| *Trusted* Server
| *Master* Key
| etc.
I wonder what historical context makes people give these words some
(undesrved ?) emotional weight ?
Perhaps its the implication of the proper use of appropriate
techniques/mechanisms ?
| These words fill most people with awe and good will towards the feature so
| named. They also make good channel markers, pointing out the
_insecure_ parts
| of the system. The effect is to cover up the lack or inadequecy
| of a mechanism with invocations that put our brains to sleep. This
| is quite lucrative for marketing purposes, but it works on
| many designers of security features as well!
|
| On the other hand, when we isolate the actual mechanisms of a system
| are in fact mathematically secure, we get names like:
|
| Encryption
| Blinding
| Message Digest
| Mix
| Capability
|
| These are just plain, boring words, with no connotation that we should
| trust them like we trust our big brother. They just work.
What you are really saying is that you trust some statements (that the
mechanisms described above actually work) actually come from an
authority whose judgement can be trusted. Or are you asserting that we
should use you as a certifcation authority and believe you when you say
these mechanisms work ?
All computer security ends up in trust, trust placed by a human in a
piece of hardware or software. Some obtain this trust directly by
attempting to break it and failing, others by studying mathematical
proofs. Still others obtain it indirectly by contact with people who
obtained it directly, still more rely on certificates from certifaction
authorities.
Academic journal reviewers are typically better certification
authorities, but are far less accessible than TV and trashy journals
which are very bad certification authorities.
- Jon Tidswell
Disclaimer: I think my thoughts are my own, and I believe my writings
are too.
Follow-Ups: