Interesting People mailing list archives
more on U.S. should fund R&D for secure Internet protocols, Clarke says
From: Dave Farber <dave () farber net>
Date: Fri, 01 Nov 2002 13:42:52 -0500
------ Forwarded Message From: Dave Crocker <dhc2 () dcrocker net> Organization: TribalWise Date: Fri, 01 Nov 2002 10:15:25 -0800 To: Dave Farber <dave () farber net> Cc: ip <ip () v2 listbox com> Subject: Re: <[IP]> U.S. should fund R&D for secure Internet protocols, Clarke says Dave, Security is an outcome, not a technology. Consider the buggy code that Steve Bellovin cites. Consider the social engineering of email viruses that get you to click on a dangerous attachment. Consider the compromised servers that hold thousands of credit card numbers. None of these problems involve "secure Internet protocols". In fact, the Internet already has a considerable bag of technical tricks for Internet protocol security, and there is no indication that any of them lacks adequate strength. The fiasco of 802.11 WEP security and the failure of end-users to employ existing security technologies suggest that the real problems lie elsewhere. We need better methods of designing safe software. We need better methods of designing entire *services* that have end-to-end safety and security, with a focus on administration and operations. We need better methods of designing "usable" security, so that end-users do not find it so daunting. We need more coherent and pragmatics laws concerning use of security technologies, so that vendors can make and distribute high-quality security solutions and customers can buy and operate them. The reference to cost of certificates underscores one area that probably does need better technology, namely certificate administration. We do not yet have an ability to use certificates on a very large scale. (In the Internet, "very large scale" means many millions of users, able to interact with no prior arrangement.) The problem seems to be both with the fragile, cumbersome design of centralized, global certificate hierarchies, and with the fascinating human factors complexity of using certs. Focusing on "Internet protocols" is like worrying about improving tumblers in physical locks. There is nothing wrong with making them better, unless someone seriously thinks that the improvement will have anything at all to do with achieving a more secure home. The successful outcome of a safe and secure Internet needs a focus on systems development, system administration and human usability. Protocol algorithms are essentially irrelevant to the threats we face today. d/ ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To unsubscribe or update your address, click http://v2.listbox.com/member/?member_id=125275&user_secret=1aa8f2d6 Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on U.S. should fund R&D for secure Internet protocols, Clarke says Dave Farber (Nov 01)
- <Possible follow-ups>
- more on U.S. should fund R&D for secure Internet protocols, Clarke says Dave Farber (Nov 01)