[Previous] [Next] [Index]
[Thread]
RE: Security via Sounding Impressive
Sounds like the designers were into bdsm a little too much, the words do
need a bit of modernization for the public :) Any suggestions?
On Mon, 20 Nov 1995, Jonathon Tidswell wrote:
>
> Supposedly Nick Szabo <szabo@netcom.com> wrote:
>
> | I've notice an interesting pattern in how security mechanisms are named.
> | On the one hand, we have some security features with very impressive sounding
> | names:
> |
> | Certification *Authority*
> | *Authorization*
> | *Trusted* Server
> | *Master* Key
> | etc.
>
> I wonder what historical context makes people give these words some
> (undesrved ?) emotional weight ?
> Perhaps its the implication of the proper use of appropriate
> techniques/mechanisms ?
>
> | These words fill most people with awe and good will towards the feature so
> | named. They also make good channel markers, pointing out the
> _insecure_ parts
> | of the system. The effect is to cover up the lack or inadequecy
> | of a mechanism with invocations that put our brains to sleep. This
> | is quite lucrative for marketing purposes, but it works on
> | many designers of security features as well!
> |
> | On the other hand, when we isolate the actual mechanisms of a system
> | are in fact mathematically secure, we get names like:
> |
> | Encryption
> | Blinding
> | Message Digest
> | Mix
> | Capability
> |
> | These are just plain, boring words, with no connotation that we should
> | trust them like we trust our big brother. They just work.
>
> What you are really saying is that you trust some statements (that the
> mechanisms described above actually work) actually come from an
> authority whose judgement can be trusted. Or are you asserting that we
> should use you as a certifcation authority and believe you when you say
> these mechanisms work ?
>
> All computer security ends up in trust, trust placed by a human in a
> piece of hardware or software. Some obtain this trust directly by
> attempting to break it and failing, others by studying mathematical
> proofs. Still others obtain it indirectly by contact with people who
> obtained it directly, still more rely on certificates from certifaction
> authorities.
>
> Academic journal reviewers are typically better certification
> authorities, but are far less accessible than TV and trashy journals
> which are very bad certification authorities.
>
> - Jon Tidswell
> Disclaimer: I think my thoughts are my own, and I believe my writings
> are too.
>
>
>
References: