RE: Security via Sounding Impressive

• To: Jonathon Tidswell <t-jont@microsoft.com>
• Subject: RE: Security via Sounding Impressive
• From: Steve Dabbs <sdabbs@netcom.com>
• Date: Mon, 20 Nov 1995 03:42:22 -0800 (PST)
• cc: szabo@netcom.com, www-security@ns2.rutgers.edu
• In-Reply-To: <199511192315.PAA04272@imail2.microsoft.com>

Sounds like the designers were into bdsm a little too much, the words do 
need a bit of modernization for the public :) Any suggestions?


On Mon, 20 Nov 1995, Jonathon Tidswell wrote:

> 
> Supposedly Nick Szabo  <szabo@netcom.com> wrote:
> 
> | I've notice an interesting pattern in how security mechanisms are named.
> | On the one hand, we have some security features with very impressive sounding
> | names:
> |
> | Certification *Authority*
> | *Authorization*
> | *Trusted* Server
> | *Master* Key
> | etc.
> 
> I wonder what historical context makes people give these words some 
> (undesrved ?) emotional weight ?
> Perhaps its the implication of the proper use of appropriate 
> techniques/mechanisms ?
> 
> | These words fill most people with awe and good will towards the feature so
> | named. They also make good channel markers, pointing out the 
> _insecure_ parts
> | of the system.  The effect is to cover up the lack or inadequecy
> | of a mechanism with invocations that put our brains to sleep. This
> | is quite lucrative for marketing purposes, but it works on
> | many designers of security features as well!
> |
> | On the other hand, when we isolate the actual mechanisms of a system
> | are in fact  mathematically secure, we get names like:
> |
> | Encryption
> | Blinding
> | Message Digest
> | Mix
> | Capability
> |
> | These are just plain, boring words, with no connotation that we should
> | trust them like we trust our big brother.  They just work.
> 
> What you are really saying is that you trust some statements (that the 
> mechanisms described above actually work) actually come from an 
> authority whose judgement can be trusted.  Or are you asserting that we 
> should use you as a certifcation authority and believe you when you say 
> these mechanisms work ?
> 
> All computer security ends up in trust, trust placed by a human in a 
> piece of hardware or software. Some obtain this trust directly by 
> attempting to break it and failing, others by studying mathematical 
> proofs. Still others obtain it indirectly by contact with people who 
> obtained it directly, still more rely on certificates from certifaction 
> authorities.
> 
> Academic journal reviewers are typically better certification 
> authorities, but are far less accessible than TV and trashy journals 
> which are very bad certification authorities.
> 
> - Jon Tidswell
> Disclaimer: I think my thoughts are my own, and I believe my writings 
> are too.
> 
> 
> 

• RE: Security via Sounding Impressive
• From: Jonathon Tidswell <t-jont@microsoft.com>

• Previous: Re: mail port [Off Topic]
• Next: Re: Security via Sounding Impressive
• Index(es):
  • Index
  • Thread