Re: caching protected documents

• To: Pitt Crandlemire <pittc@syncon.com>
• Subject: Re: caching protected documents
• From: Michael Brennen <mbrennen@fni.com>
• Date: Sat, 23 Dec 1995 23:48:18 -0600 (CST)
• cc: www-security@ns2.rutgers.edu
• In-Reply-To: <199512202203.RAA10903@zork.tiac.net>

On Wed, 20 Dec 1995, Pitt Crandlemire wrote:

> I don't think anyone could do that for me (or anyone else).  Is it
> Netscape's responsibility to anticipate and predict the potential security
> concerns of every end-user or is it the responsibility of the end-user to
> ensure that they maintain an adequate level of security for their
> environment?  I think the latter; obviously, you disagree.

Yes, I do.  You obviously pride yourself in your work to train others in
your company to handle this stuff well.  That is well and good, but for
the commercial Internet to work it must be usable by an uneducated (and
uneducatable) public.  I don't say that to look down on anyone, but few
have time, inclination or understanding to tackle computer security in
depth.  They shouldn't have to. 

Netscape's (or anyone else's that is working in this area) job as I see it
is to make this stuff manageable and secure for the end user so they (end
user) don't have to understand it in depth to make it work.  There simply
is no other way that applications that require security on the Internet
will ever work.  The issues are too involved and change too rapidly. 

An analogy: if you require treatment for cancer, can you possibly expect to
understand in depth all that is required in treatment?  Not even remotely,
because the field is changing so very rapidly.  You can learn about some
of the options in treatment and can make somewhat informed opinions, but
at some point you must trust *someone* to even tell you what those options
are.  You must trust that the overall system has the checks and balances
in place so that the treatments you must go through are as safe as can be
reasonably expected.  This is true whether you are out in surgery (how did
the anesthesiologist's husband treat her that morning?), taking radiation
(who calibrated the dosimeter last week?), chemotherapy (are you getting
the treatment that the guy next to you should be getting?  who measured 
this stuff out, anyway?), etc.

You don't want others managing the security of your personal environment,
and for you that works.  Yet, you trust others all the time in your life
to manage areas that you can neither understand or manage for yourself.  
You trust the system to work as established, because you trust that there 
are controls against fraud, abuse, etc.

This is a decision you make as part of your own risk management.  Part of
this is deciding where you must trust others, because your own control over
your life is very, very finite. 

Those same controls must be put in place in the infrastructure as an
essential part of the Internet.  Today, we don't have it because the 'net
was not designed for what it is being used for today.  That is and will
continue to change until it is in place.

Michael
---------------------------------------------------------------------
Michael Brennen, President   /           /           mbrennen@fni.com
FishNet, Inc.               / Internet  /         http://www.fni.com/ 
P.O. Box 940451            /  Services /     (214) 783-2553 (vox/fax)
Plano,  TX  75094-0451    /           /  finger me for PGP public key

• Re: caching protected documents
• From: pittc@syncon.com (Pitt Crandlemire)

• Previous: [OFF-TOPIC]..README BEFORE YOU READ MY 'hello' MESSAGE!!!
• Next: Re: caching protected documents
• Index(es):
  • Index
  • Thread